A deal to ensure data from Meta, Google and dozens of other technology companies can continue to flow between the United States and the European Union was finalized on Monday, after the digital transfer of personal information between the two jurisdictions came into question due to privacy concerns.
The decision adopted by the European Commission is the latest step in a years-long process and resolves – at least for now – the dispute over the ability of US intelligence agencies to access data on EU residents. The debate raised US national security concerns against European privacy rights.
The agreement, known as the EU-US Data Privacy Framework, gives Europeans the ability to object when they believe their personal information has been improperly collected by US intelligence agencies. A new independent review panel made up of US judges, called the Data Protection Review Tribunal, will be set up to hear such appeals.
Didier Reynders, the European commissioner who helped negotiate the agreement with US Attorney General Merrick P. Garland and Secretary of Commerce Gina Raimondo, called it a “robust solution.” He explained that the agreement more clearly defines when intelligence agencies will be able to retrieve personal information about people in the EU, and also outlines how Europeans can appeal such collection.
“It’s a real change,” Mr. Reynders said in an interview. “Protection travels with data.”
President Biden issued an executive order laying the groundwork for the deal in October, requiring US intelligence officials to add more protections to the collection of digital information, including making it proportionate to national security risks.
The transatlantic agreement has been a top priority for the world’s largest technology companies and thousands of other multinational companies that depend on the free flow of data. The agreement replaces an earlier one, known as the Privacy Shield, which was invalidated in 2020 by the EU’s highest court because it did not include sufficient privacy protections.
The lack of agreement has led to legal uncertainty. In May, the European privacy regulator cited a 2020 ruling when fining Meta 1.2 billion euros ($1.3 billion) and ordering him to stop sending information about Facebook users in the European Union to the United States. Meta, like many companies, moves data from Europe to the United States, where it has its headquarters and many of its data centers.
Other European privacy regulators have ruled that services provided by US companies, including Google Analytics and MailChimp, could violate the privacy rights of Europeans because they moved data through the US.
This issue dates back to when Edward Snowden, a former US national security contractor, released details of how foreign US surveillance agencies could profit from data stored by US technology and communications companies. Under laws such as the Foreign Intelligence Surveillance Act, US intelligence agencies may seek access to data about international users of companies for national security purposes.
After the information was revealed, Austrian privacy activist Max Schrems launched a lawsuit arguing that Facebook storing its data in the United States violated its European privacy rights. The European Union’s Supreme Court agreed, striking down two previous agreements to share data across the Atlantic.
Mr. Schrems said on Monday that he plans to sue again.
“Just announcing that something is ‘new’, ‘powerful’ or ‘effective’ doesn’t cut it before a court of justice,” Mr Schrems said in a statement, referring to the European Union’s supreme court. “We’re going to need changes in US surveillance law to make this work — and we simply don’t have it.”
Members of the European Parliament criticized the agreement. Parliament had no direct role in the negotiations, but passed a non-binding resolution in May saying the agreement failed to provide adequate protection.
“The framework does not provide any meaningful safeguards against indiscriminate surveillance by US intelligence agencies,” said Birgit Seibel, a European lawmaker from the Group of Socialists and Democrats who specializes in civil liberties issues. “This lack of protection leaves Europeans’ personal data vulnerable to mass surveillance, undermining their privacy rights.”
Mr Reynders said people should wait to test the new policy in practice.
He said the new framework would establish a system through which Europeans could raise their concerns with the US government. First, Europeans who suspect their data is being collected unfairly by a US intelligence agency should file a complaint with the national data protection regulator. After further review, the authorities will take the matter up with US officials in a process that may eventually reach the new review committee.
This month, Ms. Raimundo said the US Department of Justice had established that the 27-nation European Union would have access to tools that would allow them to complain about violations of their rights. The Office of the Director of National Intelligence also confirmed that intelligence agencies added safeguards that were put in place by order of Mr. Biden, she said.
“This marks the culmination of months of significant cooperation between the United States and the European Union and reflects our shared commitment to facilitating the flow of data between our jurisdictions while protecting individual rights and personal data,” said Ms. Raimundo in a recent statement.