The European Commission on Monday announced it adopted a new agreement with the United States to allow for transatlantic data flows without fear of violating the European Union’s General Data Protection Regulation (GDPR).
The EU-U.S. Data Privacy Framework allows for participating companies to transfer data between the two regions without having to put in place additional data protection safeguards, said the European Commission in a press release. The framework was agreed to in principle in 2022 after previous iterations, including the Privacy Shield, were scrapped by the Court of Justice of the European Union (CJEU) over U.S. surveillance concerns.
The new framework seeks to address those concerns through safeguards limiting access to EU data by U.S. intelligence services and the formation of a review court that can call for the deletion of EU citizens’ data if it is found to be collected in violation of the safeguards. The framework advanced to adequacy despite pushback from European Parliament and others as part of the approval process.
“Following the agreement in principle I reached with President Biden last year, the U.S. has implemented unprecedented commitments to establish the new framework,” said European Commission President Ursula von der Leyen in the release.
The U.S. Department of Commerce announced last week it fulfilled its commitments to implement the framework.
The adoption of the framework comes less than two months after the Irish Data Protection Commission announced it fined Meta a record 1.2 billion euros (then-U.S. $1.3 billion) under the GDPR for its improper reliance on standard contractual clauses for transatlantic data transfers in the aftermath of the CJEU scrapping the previous Privacy Shield in July 2020. Meta, in response to the penalty, said it would appeal the decision, citing the then-pending transfer framework between the two regions.
One of Meta’s largest critics, Austrian privacy campaigner Max Schrems, was also responsible for the legal challenges that resulted in the end of the previous Privacy Shield and its first iteration, Safe Harbor. Schrems, through his data rights group NOYB, said in a statement to expect the new framework to be challenged before the CJEU “in a matter of months.”
“They say the definition of insanity is doing the same thing over and over again and expecting a different result,” said Schrems. “Just like ‘Privacy Shield,’ the latest deal is not based on material changes but by political interests. … We would need changes in U.S. surveillance law to make this work—and we simply don’t have it.”
Regarding next steps, the European Commission said the new framework will be reviewed within a year to “verify that all relevant elements have been fully implemented in the U.S. legal framework and are functioning effectively in practice.”