New transatlantic data transfer agreement comes after "unprecedented" US spying commitment

US companies will be able to join the new EU-US Data Privacy Framework “by committing to comply with a detailed set of privacy obligations" -- but will it be back in court soon?

New transatlantic data transfer agreement comes after "unprecedented" US spying  commitment

The European Union has approved a new deal for transatlantic data transfers in the wake of what it said was an “unprecedented commitment” by the United States to “strengthen the privacy and civil liberties protections applicable to US signals intelligence activities.”

US companies will be able to join the new EU-US Data Privacy Framework “by committing to comply with a detailed set of privacy obligations, for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.”

That’s according to the European Commission today – with President Ursula von der Leyen saying that the agreement will “bring legal certainty to companies on both sides of the Atlantic… The US has implemented unprecedented commitments to establish the new framework.”

The decision comes two months after Meta was hit with a €1.2 billion fine by Ireland’s Data Commissioner that heralded the suspension of transfers to the US under Standard Contractual Clauses. (These were a temporary mechanism put in place after the transatlantic ‘Privacy Shield’, data transfer agreement was shot down by the Court of Justice of the European Union, which in 2020 declared it invalid in the Schrems II case.)

New EU-US Data Privacy Framework: Back to court?

New EU-US Data Privacy Framework: Back to court?

Max Schrems, the activist who has persistently challenged EU-US data transfers on the grounds of privacy, said today that the new framework “will be likely back at the Court of Justice (CJEU) in a matter of months…

“The allegedly ‘new’ Trans-Atlantic Data Privacy Framework is largely a copy of the failed ‘Privacy Shield’” he claimed… “The fundamental problem with FISA 702 was not addressed by the US, as the US still takes the view that only US persons are worthy of constitutional rights.”

The European Commission said: “EU individuals will benefit from several redress avenues in case their data is wrongly handled by US companies. This includes free of charge independent dispute resolution mechanisms and an arbitration panel.” (An EC Q&A on the framework is here.)

A lengthy ongoing dispute between the EU and US over data transfers  goes back to the revelations by former NSA contractor Edward Snowden that US intelligence agencies were hoovering up huge quantities of detailed data on internet users – and that those affected by this in Europe were not afforded some of the protections that US citizens are.

“An essential element of the US legal framework enshrining these safeguards is the US Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities', which addresses the concerns raised… by the Schrems II decision of July 2020” the EC said.

It added that the new new EU-US Data Privacy Framework is “administered and monitored by the US Department of Commerce. The US Federal Trade Commission will enforce US companies' compliance.”

Critics of previous EU-US data transfer agreements have taken particular aim at FISA 702: rules that underpin US digital surveillance. Privacy advocacy group noyb said in response to the agreement: “There is agreement on both sides of the Atlantic that FISA 702 and EO 12.333 violate fundamental rights under the 4th Amendment in the US and Articles 7, 8 and 47 CFR in the EU -- but the US continues to insist that non-US persons do not have constitutional rights in the US - hence a violation of their right to privacy is not covered by the 4th Amendment.”

Schrems added: “FISA 702 needs to be prolonged by the US this year, but with the announcement of the new deal the EU has lost any power to get a reform of FISA 702… We have various options for a challenge already in the drawer… We currently expect this to be back at the Court of Justice by the beginning of next year. For the sake of legal certainty and the rule of law we will then get an answer if the Commission's tiny improvements were enough or not. For the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal - we seem to just add another two years of this ping-pong now."

See also: NSA warns over “false sense of security” on Black Lotus UEFI bootkit risk