Privacy shield frame logo displayed on smartphone screen.
Pavlo Gonchar | Sopa Images | Light Rocket | Getty Images
Businesses can continue to transfer data from the EU to the US as usual after the two superpowers reached a landmark data-sharing deal this week.
The framework, which replaces a previous agreement that lapsed in 2020, is a major development that has implications for U.S. tech giants, which rely on it to transfer European users’ data back to the United States.
If not in place, these companies risk costly processing and storing user data locally, or withdrawing operations from the EU altogether.So the agreement of the new rules will give us some relief Yuan and other U.S. companies that share vast amounts of user data around the world.
However, the rules are already under threat of legal challenges from privacy activists who are dissatisfied with the level of protection the measures offer European citizens. They say this is no different from the earlier Privacy Shield framework.
CNBC brings you all there is to know about the new EU-US privacy framework, why it matters, and its chances of success.
What is the new EU-US data privacy framework?
The new data sharing agreement is called EU-US Data Privacy Frameworkdesigned to ensure that data can flow safely between the EU and the US without additional data protection measures.
in a statement On Monday, the European Commission, the EU’s executive arm, said it had concluded that U.S. data protection laws provided an “adequate level of protection” for European citizens and introduced new safeguards that would limit U.S. intelligence agencies to Get EU data under “. “
A new data protection review court will be created for Europeans to lodge privacy complaints. It will have the power to order companies to delete user data if it finds that the information collected violates the new safeguards.
Why is a new data transfer protocol needed?
The data privacy framework replaces a previous agreement called Privacy Shield, which allowed companies to share Europeans’ data to the US to be stored and processed locally in their domestic data centers.
Schrems said NSA whistleblower Edward Snowden’s revelations about US surveillance meant US data protection standards could not be trusted.
He filed a complaint against the social network Facebook, which, like many others, transferred his and other users’ data to the United States and to the Irish Data Protection Commission, Facebook’s main regulator on data privacy in Europe.
It reached the European Court of Justice, which ruled in 2015 that the then Safe Harbor agreement (the mechanism that previously allowed European users’ data to be transferred to the US) was invalid, and European citizens are not adequately protected.
It was replaced by Privacy Shield, but then also abandoned.
Meanwhile, companies rely on separate mechanisms known as standard contractual clauses to ensure they can still transfer data across the Atlantic.
These tools are also under threat.
The Irish DPC ruled in May that Meta’s use of the SCC to transfer personal data to the US violated the European Union’s General Data Protection Regulation. The US tech giant was fined a record $1.3 billion.
Why does this matter?
Multinational companies operating in different jurisdictions need to move customer data across borders in a secure manner that complies with data protection regulations.
US tech giants have been sharing data on their European users. It is an important part of the Internet and an open and interconnected platform.
But the way these tech companies handle data has come under intense scrutiny from regulators and privacy activists.
Yuan, Google, amazon Others collect reams of user data, which they use to inform content-recommendation algorithms and personalize ads.
There are also numerous scandalous examples of tech companies misusing personal data, most notably Meta’s improper sharing of data with the controversial political consultancy Cambridge Analytica.
Europe has strict regulations regarding the processing of internet user data.
In 2018, the General Data Protection Regulation (GDPR) came into force, placing strict requirements on organizations to ensure they handle user data safely and securely. This is a law that applies to all countries in the European Union.
On the other hand, the US does not have a single federal data protection law that covers the privacy of all types of data.
Instead, U.S. states have enacted their own data privacy regulations, with California leading the way.
“Data transfers between the EU and the US are subject to intense regulation and political scrutiny, so there are significant differences in the US legal protections put in place to support the new framework,” Holger Lutz, a partner at law firm Clifford Chance, told CNBC via email.
“At the same time, US law has been amended to strengthen the protection of EU personal data and the rights of EU citizens related to that data. These protections are not limited to the new framework – they also protect EU-US personal data transfers outside the framework, and in accordance with the Other legal instruments, such as EU Standard Contractual Clauses, could be taken into account when making such transfers.”
Will it work?
The approval of the new data privacy framework means businesses can now determine how data will be processed across borders in the future.
Without a deal, some companies could be forced to close operations in Europe.indeed, yuan February 2022 warned it was a risk.
Still, obstacles remain.
Austrian privacy activist Schrems, who helped overturn the Privacy Shield, has said he plans to launch a legal challenge to tear up the new data-sharing agreement.
In a statement, Schrems said his law firm Neub “already has various options in the drawer to deal with the challenge”.
“We currently expect this to return to court early next year,” Schrems said.
“The court can even suspend the new agreement while it reviews the substance. For the sake of legal certainty and the rule of law, we will have an answer as to whether minor improvements from the Commission are enough.”
Privacy activists say the measures aren’t enough because U.S. privacy law doesn’t extend protections to non-U.S. citizens, meaning people in the European Union don’t get the same level of protection.
“Whether the framework is successful will depend on whether the European Court of Justice finds that the protections for personal data in the US are sufficient to achieve substantial equivalence with EU protections,” Clifford Chance’s Lutz told CNBC.
“Companies will carefully consider these potential challenges in their scenario planning.”
Svlook