European Commission Adopts EU-US Data Privacy FrameworkNew Data Regime Will Facilitate Commercial Data Flow Between the EU and the US
The European Commission has officially adopted the EU-U.S. Trans-Atlantic Data Privacy Framework, which will enable the free flow of commercial data between Europe and the United States.
Europe's executive body in December approved a draft decision on the framework and on Monday, the European Commission announced the formal adoption of the framework, paving the way for implementation.
"The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic," said European Commission President Ursula von der Leyen. "Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the U.S."
Under the new framework, U.S. companies operating in Europe will be allowed to transfer and process data of European Union citizens in the U.S, which is estimated to create 900 billion euros in crossover business each year. The framework has been deemed important by companies such as Facebook and Google and without it, companies could find it difficult or even impossible to process European data.
The framework is the outcome of nearly two years of negotiations between Brussels and Washington, instigated by a Court of Justice of the European Union 2020 decision invalidating Privacy Shield, the legal framework that had allowed trans-Atlantic commercial data flows since mid-2016.
To address concerns about the U.S. government gathering intelligence about European citizens, the European Court of Justice in 2015 struck down a previous arrangement known as Safe Harbor.
"After the invalidation of the previous frameworks, it was a matter of top priority for the commission," EU Justice Minister Didier Reynders said Monday. "The only way to achieve it was to ensure compliance with the condition set in the ruling of the EU's highest court."
The commission approved the latest framework after obtaining key commitments from the United States, including a pledge to keep intelligence gathering on Europeans proportional to national security. The U.S. Department of Justice also agreed to review European claims that personal information had been wrongly gathered up by U.S. intelligence agencies.
"Each U.S intelligence agency has reviewed its internal rules to implement these new requirements at an operation level. Compliance to such requirements are also subject to new redress mechanisms," Reynders said.
Despite privacy guarantees, the framework has been criticized by the European Data Protection Board for a lack of clarity on key aspects governing its implementation. In May, the European Parliament adopted a resolution calling on the European Commission to reopen negotiations with the United States.
Max Schrems, a privacy activist who filed both lawsuits against the previous data regimes, said the latest framework is just a copy of the previous regulatory attempts.
"We now had 'Harbors,' 'Umbrellas,' 'Shields' and 'Frameworks' - but no substantial change in U.S. surveillance law," Schrems said. "Just announcing that something is new, robust or effective does not cut it before the Court of Justice. We would need changes in U.S. surveillance law to make this work."
Schrems added that his organization will challenge the latest framework as well.
On the question of a likely legal challenge to the Data Privacy Framework, Reynders said it would be useful to "test the new U.S. system" before challenging the adequacy decision. He added that the right to deletion of European data and the establishment of a redress mechanism would resolve the privacy concerns previously raised.
The EU-U.S. Data Privacy Framework will go into effect in December and will be subject to yearly review by the European Commission after implementation.