EU and US Reach Much-Anticipated Data-Sharing Accord

EU and US flags

In a victory for companies like Google and Meta, Europe and the U.S. have reached a data-sharing agreement.

The European Commission announced Monday (July 10) the finalizing of the EU-U.S. Data Privacy Framework after concluding that the U.S. offers a level of data protection in line with what’s offered by the European Union.

“On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards,” the commission said in a news release.

According to the release, the framework includes safeguards such as limits on access to EU data by U.S. intelligence services “to what is necessary and proportionate,” and establishes a Data Protection Review Court (DPRC) which can order the deletion of data it finds was collected in violation of the new rules.

The agreement allows for data from big tech companies to continue flowing between Europe and the United States.

As PYMNTS has written, relations between these companies and Europe have grown increasingly tense following a landmark decision by the Court of Justice of the European Union (CJEU) in 2020 that struck down the data-sharing agreement Privacy Shield.

In May, Meta was fined a record $1.3 billion after the Irish Data Protection Commission (DPC), found that the company violated Europe’s General Data Protection Regulation (GDPR) by failing to guard European Facebook users’ data against U.S. surveillance practices.

Meta has said it will appeal the decision.

Both the U.S. and the EU had been working over the past two years to come to a new agreement.

In October of last year, President Joe Biden signed an executive order designed to add new safeguards against American intelligence activity, saying such activities need to be “conducted only in pursuit of defined national security objectives” and take “into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence.”

The new agreement was criticized by privacy group noyb, which argued on its website that the privacy framework was essentially a rehash of previous, unsuccessful data sharing rules, both Privacy Shield and “Safe Harbor,” adopted in 2000.

The group’s leader, Max Schrems, had challenged those rules, saying they violated European privacy rights, and indicated Monday he planned to challenge this version as well.

“We now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’ — but no substantial change in US surveillance law,” Schrems said in a Monday news release.

“The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work — and we simply don’t have it.”