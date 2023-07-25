On July 10, the European Commission announced a new data transfer pact with the United States, a landmark and long-delayed deal that will allow the seamless transfer of personal data from the EU to companies based on US soil.

Titled the EU-US Data Privacy Framework, this accord permits US firms to maintain and process European data, thus securing the operations of tech behemoths like Google and Meta.

Although the agreement was inked in 2022, Europe’s top court had struck down two previous pacts because of concerns about US intelligence agencies accessing European citizens’ private data.

The Computer & Communications Industry Association, a non-profit whose members employ one million people in the tech sector and generate $540 billion annually, hailed the decision as a milestone which would allow the EU and US businesses to have “full legal certainty again to transfer personal data across the Atlantic”.

Against a backdrop of mounting tensions with Russia and an escalating rivalry with China, the US has increasingly found the value of its transatlantic partnership with Europe.

The US-EU data transfer pact has implications beyond the bilateral relationship between these two entities. The splintering of the Western bloc, driven by unresolved data transfer disagreements, would provide an opportunity for China to fortify its position in the global digital ecosystem.

Indeed, in its effort to revitalise the transatlantic alliance, the Biden administration recognised that data fragmentation within this unity would potentially empower China, allowing it to expand its digital influence globally.

Beyond commercial interests, the US is endeavouring to elevate the importance of the Western model of digital governance as a counterbalance to China.

Struggle over transatlantic data privacy

EU privacy laws have long prohibited the transfer of its citizens’ data outside of the EU unless it is moved to a location considered to provide ‘adequate’ privacy protections in line with those of the EU.

The Safe Harbour Agreement, a former pact established between the European Commission and the US in 2000, fundamentally committed to protecting the data of EU citizens when transferred by American companies to the US.

Nonetheless, in 2015, after a protracted two-year legal battle and in the aftermath of the revelations from Edward Snowden, the top court in the EU invalidated the Safe Harbour Agreement. The court determined that this arrangement did not provide sufficient safeguards for consumer data.

In response to the Safe Harbour ruling, the Privacy Shield was established in 2016 to enable businesses in the EU and the US to transfer data more easily between the two regions. Over 5000 companies utilised this system. However, in 2020, the European Court of Justice declared that the Privacy Shield agreement too did not align with European privacy rights.

This decision marked the second time Austrian data-protection activist Max Schrems successfully overturned an EU-US data-sharing pact. In 2015, he campaigned for the court to invalidate Safe Harbour, the predecessor to the Privacy Shield, citing concerns that American spy agencies could access data transferred from the EU.

Schrems used a similar argument with the Privacy Shield agreement. He filed a complaint against Facebook, arguing that his privacy rights were compromised when his data was transferred to the US, thereby making it susceptible to American surveillance. The case eventually grew into a broader referendum on the legitimacy of data-transfer agreements when data is exported from the EU.

What changed?

The European Commission officially acknowledged the US as a country providing sufficient protection for European citizens’ personal data, by adopting what is referred to as an adequacy decision under its privacy legislation, the General Data Protection Regulation.

An adequacy decision is a method through which the EU evaluates whether a non-EU country provides an adequate level of data protection.

“Adequacy” does not necessitate that the third country’s data protection system exactly mirrors that of the EU, but it must meet a standard of “essential equivalence” determined by an assessment of the protections applicable to personal data as well as the oversight mechanisms and avenues for redress available.

The Data Framework offers several new rights to EU individuals whose data will be transferred to participating US companies. These rights include the ability to access their data, as well as to seek correction or deletion of inaccurate or unlawfully processed data.

Additionally, the framework provides various redress channels in the event of incorrect data handling, including recourse to independent dispute resolution mechanisms and an arbitration panel, both available free of charge.

US companies can certify their participation in the framework by pledging to adhere to a comprehensive set of privacy obligations. These could encompass privacy principles like limiting the purpose of data use, minimising data collection, and controlling data retention, as well as specific responsibilities related to data security and third-party data sharing.

A pivotal element of the US legal framework, upon which the adequacy decision is anchored, is the executive order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’. Signed by President Biden on October 7 last year, this order is supplemented by regulations put in place by the attorney general.