A new deal on data transfers between the EU and US has alarmed businesses and privacy campaigners.
The pact, known as the EU-US Data Privacy Framework, was announced on Monday by the European Commission. The EU’s executive body concluded that the US offered an “adequate level of protection” for data transfers under the new arrangements.
The framework replaces the Privacy Shield, which the EU’s top court had struck down in July 2020 over concerns that the US didn’t provide sufficient protection against government surveillance.
As a result, companies were forced to move data by using a mechanism called Standard Contractual Clauses (SCC), which can be burdensome to manage. As Meta recently learned, the process could also have costly consequences.
In June, the Facebook owner was fined €1.2bn for mishandling personal information under SCCs — a record penalty for a breach of the GDPR. Meta described the ruling as “unjustified and unnecessary.”
Under the new framework, companies have been offered hope of clearer, easier data flows for companies. The deal also adds new safeguards, including a new review court for data protection and restricted access to EU data by US intelligence services.
Yet critics say the new arrangements provide insufficient safety. They note that the Fourth Amendment still doesn’t apply to EU citizens, which would protect them from US government spying under existing American legislation.
“[The framework] limits US spy agencies to what is ‘necessary and proportionate,’ but that is little comfort to EU citizens who remember similar promises under Safe Harbour and Privacy Shield,” said Paul Bischoff, consumer privacy advocate at cybersecurity site Comparitech.
Another cause of concern is the possibility of further changes. The privacy campaigner Max Schrems, who previously challenged data-sharing deals between the US and the EU, has already threatened legal action against the new framework.
As a result, businesses must now adapt to yet another set of rules that could also be undone.
“The fact that the agreement has already been successfully challenged twice means there is a real risk it will be invalidated once again, leaving companies further in the dark about how to move forward,” Cory Munchbach, CEO of customer data platform BlueConic.
The challenge from Schrems and his privacy non-profit, noyb (None Of Your Business), could lead the framework to be overturned within a few years.
David Dumont, a lawyer at Hunton Andrews Kurth, who specialises in EU privacy law, warns that businesses need reassurances they can rely on the new rules.
“If the new adequacy decision would, once again, be struck down by the Court of Justice of the EU, organisations may lose faith in the feasibility of a successful EU–U.S. data transfer framework and turn to EU Standard Contractual Clauses as their sole and permanent solution to legitimise data transfers to the States.”