The EU-US Data Privacy Framework: Third time's a charm, or is it just wishful thinking?

On July 10, 2023, The European Commission  approved a new deal that lets organizations freely transfer data between the EU and the United States, potentially bringing the three-year-long legal uncertainty to a close.

This  EU-US Data Privacy Framework recognizes the US as a country that provides sufficient protection for the personal data of European citizens. It opens the door to transatlantic data exchanges after the EU top court shut it in 2020, following concerns that US intelligence agencies had too much access to user data.

This is an impactful decision since, according to the White House, transatlantic data flows represent $7.1 trillion of value in the economic activities of the many companies that carry out business on both continents.

Many US-based companies, whose services require cross-border data flows, especially in relation to services using AI, cloud computing, and social media platforms, have been eagerly awaiting the announcement of the EU-US Framework. For them, the adequacy decision serves as an essential driver in the trans-Atlantic technology and data economy. 

An example of that is Threads, an application released by Meta in July 2023 that has not been made available to Europe-based customers due to privacy concerns, with the company taking multiple steps to prevent customers from accessing the new social app. 

With the stage set by the approval of the EU-US Data Privacy Framework, let's now delve into the intricacies of this significant decision and its implications for transatlantic data transfers and the technology sector.

Data privacy between EU and US: Quick recap

It all starts with the GDPR and its Article 45(3) which grants the Commission the power to decide whether a non-EU country ensures “an adequate level of protection” for personal data equivalent to the protection level within the EU (called the “adequacy decision”).

The previous adequacy decisions around the data flow between the EU and the US (the  so-called EU-US Privacy Shield) were invalidated by the Court of Justice following lawsuits filed by the privacy activist Max Schrems.

As a result, the European Commission and the US government started discussing a new framework that would address all the issues raised by the Court.

In March 2022, President von der Leyen and President Biden announced reaching an agreement on a new transatlantic data flow framework. Later that year, President Biden signed an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities,” with regulations issued by the US Attorney General added.

What does the new framework entail?

If US corporations mishandle user data, customers in the EU will have many options for redress, including free access to both an arbitration tribunal and impartial dispute resolution processes.

Individuals in the EU will have access to an independent and unbiased redress process about the acquisition and use of personal data by US intelligence agencies, which will include a newly established Data Protection Review Court (DPRC). The Court will examine and decide complaints independently, including by imposing binding remedial measures. However, the Court will consist exclusively of US citizens, which may put its impartiality into question.

Furthermore, the US legal framework includes a variety of safeguards for US public authorities access to data supplied under the framework, particularly for criminal law enforcement and national security purposes. Data access is restricted to what is required and proportional to national security.

The protections put in place by the United States will also help transatlantic data flows in general, as they apply when data is moved via other instruments, such as standard contractual terms and binding business norms.

The European Commission will assess the EU-US Data Privacy Framework within a year and then every four years to determine the effectiveness of the new US privacy measures for Europeans.

Bitkom, Germany's largest digital economy association, views the EU-US Framework as particularly beneficial to EU-companies, noting that individual case evaluations will no longer be required in the future, which will benefit small and medium-sized businesses in particular. 

Data without borders: The crucial link between EU-US data flow and global services

The unrestricted flow of data supports many of the services on which consumers have come to rely, from banking and telecommunications to crucial public services like healthcare and education. Thousands of businesses and other organizations rely on the ability to move data between the EU and the US to function and deliver services that consumers rely on on a daily basis.

Without the ability to move data across borders, the internet space risks becoming divided into national and regional silos, limiting the global economy and preventing residents in other nations from accessing many of the shared services. That is why ensuring a solid legal framework for data transmission between the US and has been a priority on both sides of the Atlantic. 

Our take on the new EU-US data privacy framework 

The agreement doesn’t yet mean that your data is safe everywhere. Chances are that the new data privacy framework will be overthrown by the end of the year.

Max Schrems, the privacy activist who filed lawsuits that led to the closure of the two previous data pacts, said he will probably challenge the new agreement in court by the end of August. He expects his complaint to come before the European Court of Justice in early 2024. 

This is confirmed by NYOB - European Center for Digital Rights he founded, the European Commission's third effort to reach a solid deal on EU-US data transfers would most likely end up back in the Court of Justice in a matter of months. Only time will tell what comes out of this...

According to the European Data Protection Board (EDPB), the new deal demonstrates "substantial improvements" over earlier pacts but still lacks some protections. The European Parliament criticized the revised deal, claiming that it still allows some bulk collection of personal data and has insufficient privacy safeguards for Europeans.

It would be great if the new framework could really guarantee full data privacy. At Tilaa, we still have our doubts about this because the agreement has yet to signal the end of the long-running drama.

So, it pays to keep an eye on these developments and check the small print regarding data security, especially when it comes to your cloud vendor agreements.