(Brussels) Brussels adopted on Monday a new legal framework to allow the transfer of personal data from the EU to the United States, a crucial device for the digital economy after European court decisions having invalidated the precedents.
“The new EU-US personal data protection framework will ensure secure data flows for Europeans and provide legal certainty for businesses on both sides of the Atlantic,” said European Commission President Ursula von der Leyen, in a statement.
US President Joe Biden welcomed this decision which “reflects”, according to him, “the common commitment” of the two partners to “the strong protection of personal data”.
The two devices previously put in place to allow companies to transfer such data from Europeans to the United States had been invalidated due to fears of surveillance by American intelligence services – the last, “Privacy Shield”, in 2020 –.
These appeals to the EU Court of Justice were brought by Austrian privacy activist Max Schrems.
Monday, he announced to take legal action again, considering that the new text did not bring any improvement in terms of the protection of the personal data of Europeans.
“Legal Ping Pong”
“We already have options in the drawers for a new remedy, although we are tired of this game of legal ping-pong. We expect the case to come before the Court of Justice again early next year,” said Max Schrems.
The European Commissioner for Justice, Didier Reynders, admitted that he expected new legal battles. “Referring to the Court of Justice seems to be part of the economic model of certain civil society organizations,” he quipped, in an allusion to the Austrian activist’s European Center for Digital Rights (Noyb).
The establishment of a new framework is essential for digital giants such as Google, Meta and Amazon who complained about the lack of clear rules for transferring data between the two sides of the Atlantic.
In particular, Meta was fined a record 1.2 billion euros at the end of May for violating European data protection rules with its social network Facebook.
In July 2020, European justice had concluded that the “Privacy Shield” used by American companies did not protect possible “interferences in the fundamental rights of the persons whose data were transferred”.
Since then, companies have resorted to alternative legal solutions, with more uncertain legality, to continue these transfers, while waiting for a more solid and sustainable system.
Mme von der Leyen and Joe Biden had reached an agreement in principle in March 2022 on a new legal device, supposed to respond to the concerns expressed by justice.
“Unprecedented Commitments”
The new European legal framework implements this agreement. It provides additional safeguards to ensure that access by US intelligence agencies, in the name of national security, to data collected in Europe and transferred or hosted in the United States is limited to what is “necessary” and “proportionate”.
The text also opens up a possibility of recourse to European nationals if they consider that their personal data has been illegally collected by American intelligence, allowing them to obtain, if necessary, the deletion or correction of this data.
“The United States has made unprecedented commitments,” said Mr.me von der Leyen.
Digital players welcomed this announcement. “After years of waiting, businesses and organizations of all sizes on both sides of the Atlantic finally have the certainty of having a durable legal framework that allows transfers of personal data from the EU to United States”, rejoiced Alexandre Roure, the director of public policies of the CCIA, the lobby of the tech giants.
“Data flows are the basis of EU services exports to the US worth €1 trillion a year, and this decision will give companies more confidence to conduct their business and will contribute to the growth of our economies,” commented Cecilia Bonefeld-Dahl of DigitalEurope, another industry organization.