Criticism of New Privacy Shield Between EU and U.S.
The European Union and the U.S. have approved a new agreement allowing U.S. companies to freely exchange data between the EU and the United States, potentially ending three years of legal uncertainty for the major U.S. Tech companies such as Meta and Google.
What is the new pact between the EU and the US?
The European Commission has formally recognized the U.S. as a country with adequate protection for Europeans’ personal data and has adopted a so-called adequacy decision under its landmark privacy law, the General Data Protection Regulation.
The EU-U.S. Data Privacy Framework, (again) paves the way for lucrative transatlantic data exchanges. This data sharing has been a difficult issue in recent years given that the European Court of Justice pulled the plug on the governments’ previous data agreement, known as the Privacy Shield, in 2020.
The European Court of Justice held that U.S. intelligence agencies had too much leeway to obtain the personal data of Europeans.
Why is this new Privacy Shield important?
Multinationals operate in multiple jurisdictions and they must be able to ensure that data about their customers moving across borders is handled in a way that is both secure and compliant with data protection regulations.
The data of European users transmitted to America by these multinationals can be accessed by U.S. intelligence agencies without too much trouble. In addition, companies such as Meta, Google and Amazon collect huge amounts of data on their users, which they use to inform their algorithms for recommending content and personalizing ads.
There are also numerous examples of agencies where multinational corporations exchange data unauthorizedly such as, for example, the unauthorized exchange of data with Cambridge Analytica.
Research on Technology Companies in Europe and the U.S.
The way these technology companies handle data has come under heavy scrutiny from national data protection authorities and privacy activists.
Europe has strict rules when it comes to processing Internet users’ data of which the GDPR provisions are the best example.
In contrast, the US has no federal data protection law that covers the privacy of all types of data. In the process, individual U.S. states have devised their own respective data privacy rules with California leading the way.
Record fine for Meta due to Inadequate Data Protection among SCCs
Without clear rules in place, companies in the interim relied on so-called “standard contract clauses” (SCC) to ensure they still had data on the Atlantic Ocean can move. However, these SCC do not provide an Adequate level of protection of European user’s personal data. For example, the Irish Data Protection Authority ruled that Meta’s use of SCCs to transfer personal data to the US violates the GDPR. The American Tech giant was fined a record $1.3 billion.
Does this new “Privacy Shield‘ the solution?
The adoption of a new data privacy framework means that companies now have certainty about how they can process data across borders in the future.
Had there been no agreement, some companies may have been forced to shut down operations in Europe. Meta previously warned that there is indeed a risk that they would have to shut down their operations in Europe because of those huge fines imposed on them by European data protection authorities.
New EU-US Data Protection Agreement: Criticism and Review within a Year
The European Data Protection Board (EDPB) believes the new agreement showed “substantial improvements” compared to previous pacts, but still lacked some safeguards.
The European Parliament opposed the new pact, arguing that it still allows some bulk collection of personal data and does not provide sufficient protection for Europeans’ privacy. However, the opinions of the EDPB and the European Parliament are not binding and cannot derail the agreement.
The European Commission will evaluate the effects of the new Data Privacy Framework within the year and then monitor the effectiveness of the new U.S. privacy safeguards for Europeans every four years.
The displeasure of NOYB
Schrems, the Austrian privacy activist who helped bring down Privacy Shield, has expressed his displeasure with the new Privacy Shield on several occasions. He therefore plans to take the case to the European Court of Justice again.
In a statement, Schrems said his law firm, Noyb, is already preparing the necessary legal action.
“We currently expect this to be back before the Court early next year,” Schrems said.
The Court of Justice could then even suspend the new deal while it reviews its contents. For the sake of legal certainty and the rule of law, there would then be an answer to the question of whether the Commission’s minor improvements were sufficient or not.
Privacy activists say the measures are not enough, as U.S. privacy laws do not protect non-U.S. citizens, meaning people in the EU cannot enjoy the same level of protection.
Whether the framework will ever be successful depends on whether European courts find U.S. personal data protection sufficient to provide essential equivalence to EU protection.
Companies will need to carefully consider these potential challenges in their scenario planning.
For more information regarding this new Privacy Shield, contact an accredited DPO.