EU-US agree personal data transfer rules but privacy concerns remain

An agreement allowing personal data to be more easily transferred between the EU and the US has been finalized, but further legal challenges are expected.

The formal adoption of what’s known as an adequacy decision for the EU-US Data Privacy Framework deals with Article 45(3) of the EU General Data Protection Regulation (GDPR). This article states that the personal information of EU citizens is permitted to flow freely to jurisdictions in which there is an “adequate” level of protection.

In the EU’s explanation of the latest development, it states that: “The draft decision concluded that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies.” US companies will need to commit to comply with a detailed set of privacy regulations in order to join the Framework.

GDPR requirements

Legislators hope this will streamline the process by which companies transfer data from the EU to the US. Currently, standard contractual clauses are used to ensure data is transferred according to the requirements of the GDPR. But this means different contracts are required for data transfers to different companies, making the process resource heavy, particularly for smaller companies.

The Framework eliminates the need for individual contracts if the supplier signs the commitment agreement confirming they are sticking to guidelines. Cliodhna Ni Ghadra and Rosie Duckworth from Macfarlanes provided some analysis recently on GRIP, and we have been covering developments over the past year.

Didier Reynders, the EU Justice Commissioner, said the agreement was “robust” and would ensure “personal data can now flow freely and safely” between the jurisdictions. But privacy campaigners are already planning challenges, with Max Schrems’ European Center For Digital Rights group – also known as None of Your Business (NOYB) – already calling the agreement “largely a copy of the failed ‘Privacy Shield’” and predicting it will be “back at the Court of Justice (CJEU) in a matter of months”.

Schrems is a prominent privacy activist and the driving force behind the Schrems 1 and Schrems II rulings on data storage and individual privacy.

US intelligence and data

Chief among the concerns of privacy campaigners is the introduction of a new rule to address the issues raised in Schrems II. This means, says the Commission, that: “Access to European data by US intelligence agencies will be limited to what is necessary and proportionate to protect national security.” A new Data Protection Review Court has been created to give individuals the opportunity to seek redress.

Schrems says: “the US will attribute another meaning to the word ‘proportionate’ than the EU”, and references the use of the US Foreign Intelligence Surveillance Act 1978 Amendments Act of 2008. This was the legislation under which the huge surveillance programs revealed by whistleblower Edward Snowden was carried out.

Schrems continued: “We’ve now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’ – but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have it.”

It’s clear that legal battles over personal privacy rights are far from over, with the row over the EU announcement coming within days of a significant ruling by the CJEU upholding a decision by the German antitrust regulator to compel Meta to stop collecting user data without consent.