The personal data of Europeans can now be freely and securely transferred from the EU to the US without any additional conditions or approvals, based on a mechanism that protects people and provides legal certainty for companies. The Data Privacy Framework (DPF) was announced back in March 2022, but it took over a year to complete. The previous data export mechanism was declared invalid by EU judges three years ago.
The current decision is the third in a row and it is not yet clear how sustainable it will be. EU Commissioner Didier Reynders is optimistic, arguing that the structure is not just a copy of previous transmission mechanisms, but “A completely different system and a very reliable solution.” Both previous agreements (known as the Safe Harbor and Privacy Shield) were rejected by the EU’s highest court when it found that personal data exported to the US was not protected to the required legal standards.
Data activists warn that the new deal may also have flaws. Critics of the agreement argue that the US has taken no steps to protect foreigners’ information. In their view, the DPF still contains the same fundamental legal conflict between EU data protection rights and US surveillance powers outlined in Section 702 of the Foreign Intelligence Surveillance Act (FISA). The article is devoted to the collection of personal information from individuals located outside of the United States.
Reynders acknowledged that today’s green light is in fact a unilateral decision by the EU executive and that there are still months (or even years) of debate in the EU court ahead and the final verdict on the DPF for years to come can. For reference, legal issues under the Privacy Shield were brought to court in May 2018 and the decision to scrap this mechanism did not appear until July 2020.
“They say the definition of insanity is doing the same thing over and over again and expecting a different result. As with the Privacy Shield, the latest agreement is not based on material changes, but on political interests., said Max Schrems, chairman of the data protection group. — FISA 702 is due to be renewed by the US this year, albeit with the announcement of a new agreement DPF, the EU missed every opportunity to influence FISA 702 reform.”
“We have achieved significant changes in the United States legal frameworkReynders argues. — Necessity and proportionality requirements are now backed by US safeguards. When assessing the possibility of accessing US intelligence data, the same factors as the requirements of EU case law are taken into account. These include the nature of the data, the severity of the threat and the likely human rights impact. Each US intelligence agency has revised its internal rules and procedures to implement the new requirements at the operational level.”
Regarding the redesigned redress mechanism, Reynders described the following: “an independent and impartial tribunal empowered to investigate complaints submitted by Europeans and make binding corrective decisions”also indicating that this entity has the right to request the deletion of data collected in violation.
He stressed that the mechanism “user friendly” EU citizens can lodge a complaint with their local data protection authority, free of charge and in their own language. The applicant does not have to prove that US secret services have accessed their data. The interests of the plaintiff are represented free of charge by a special lawyer with security clearance. Compensation is overseen by an independent body, the Privacy and Civil Liberties Oversight Board.
Critics of the new deal believe this whole multi-year process is just a way for lawmakers on both sides of the ocean to get a few more years of delay. Meta is a good example.*, which has been prosecuted for almost a decade for transferring data from the EU to the US. In May, the company was asked to suspend the transfer of personal data for six months. But after passing the DPF, she can just ignore the suspension order. She still has to pay $1.3 billion.
The process, which human rights activists call a “frustrating legal ping-pong”, shows how difficult it is for EU citizens to exercise their right to privacy. Tech giants can trample on people’s rights as long as they make enough profit to offset any penalties on the cost of doing business.
Of course, current law requires companies to demonstrate full compliance with the GDPR (General Data Protection Regulation). And then meta* will not be easy as EU regulators have questioned the legal basis on which Meta is based* referred to in the processing of data for ad targeting. Even if the ad tech giant doesn’t have to cut off all traffic between the EU and the US, some drastic reforms in the EU advertising business now seem inevitable for the company.
* It is included in the list of public associations and religious organizations for which the court made a final decision to liquidate or ban activities on the grounds provided for in Federal Law No. 114-FZ of July 25, 2002 “On Combating Extremists”. has met activity”.