The European Commission and the US government have signed a new data exchange agreement: the EU-US Data Privacy Framework. This contains agreements about the storage of personal data and other data of European citizens in the US. This brings an end to the legal wrangling over the sharing and storage of data of Europeans outside the EU after almost three years. The European Commission announces the new data transfer agreement via a press statement.
Safe Harbor and Privacy Shield did not provide sufficient protection for European citizens
For years, the EU and US relied on the Safe Harbor agreement to exchange personal data between the two continents. In 2015, the European Court of Justice ruled that this agreement offered too few guarantees to protect the privacy of Europeans. Brussels and Washington then developed a new legal basis in 2016 to allow data exchange to take place. The result of these negotiations was the Privacy Shield.In the summer of 2020, the European Court also struck down this treaty. The Court held that the US did not offer citizens the same level of protection as it does here in Europe. The measures taken by the US to protect personal data needed to sufficiently correspond to the principle of proportionality that the General Data Protection Regulation (GDPR) pursues. In addition, according to the Court, Europeans couldn’t influence the way in which personal data is processed in the US.
New treaty restricts US intelligence services
After nearly three years of negotiations, a new data-sharing treaty has been announced today: the EU-US Data Privacy Framework. Based on this treaty, European companies and organizations can securely transfer the personal data of European citizens to American companies. No additional safeguards need to be formulated to provide the same level of protection for personal data as here in Europe. One of the agreements is that limits will be placed on what data the American intelligence services may collect from European citizens. They can only view data if it is ‘necessary and proportionate’. In addition, there will be more supervision of the intelligence services. A Data Protection Review Court (DPRC) will be set up for this purpose. This independent and impartial body ensures that the intelligence services collect data in a way that does not conflict with the new exchange treaty. Finally, it has been agreed that Europeans can object if American intelligence services have collected their data. For this, they can turn to the European Data Protection Board (EDPB), the umbrella organization in which the privacy supervisors of all EU member states are represented.
Noyb expects the new agreement to reach the Court ‘within a few months.’
Ursula von der Leyen, President of the European Commission, is pleased with the new data exchange agreement. “Thanks to the new data protection treaty, Europeans can rest assured that data flows are secure and businesses on both sides of the Atlantic enjoy the necessary legal certainty (…) The step we are taking today is important: for our citizens’ confidence in the security of their data, for deepening economic ties between the EU and the US, and for giving us the opportunity to reaffirm our common values.”Max Schrems, chairman of the Austrian privacy foundation Noyb, is less enthusiastic about the treaty. He thinks that the agreement will be before the European Court of Justice ‘within a few months’. In a response, he calls the treaty a copy of the failed Privacy Shield’. “Doing the same thing over and over and expecting a different result is the definition of insanity. Like the Privacy Shield, the latest agreement is not based on material changes but on political interests,” said Schrems. The EU-US Data Privacy Framework will come into effect this week. An evaluation will take place in a year’s time, and representatives of European and American regulators will examine how the treaty functions in practice.