A deal to ensure that data from Meta, Google and scores of other companies can continue flowing between the United States and the European Union was completed Monday, after the digital transfer of personal information between the two jurisdictions had been thrown into doubt because of privacy concerns.
The decision adopted by the European Commission is the final step in a yearslong process and resolves — at least for now — a dispute about US intelligence agencies’ ability to gain access to data about EU residents. The debate pitted US national security concerns against European privacy rights.
The accord, known as the EU-US Data Privacy Framework, gives Europeans the ability to object when they believe their personal information has been collected improperly by US intelligence agencies. An independent review body made up of US judges, called the Data Protection Review Court, will be created to hear such appeals.
Didier Reynders, the European commissioner who helped negotiate the agreement with US Attorney General Merrick Garland and Commerce Secretary Gina Raimondo, called it a “robust solution.” The deal sets out more clearly when intelligence agencies are able to retrieve personal information about people in the European Union and outlines how Europeans can appeal such collection, he said.
“It’s a real change,” Reynders said in an interview. “Protection is traveling with the data.”
President Joe Biden issued an executive order laying the groundwork for the deal in October, requiring US intelligence officials to add more protections for the collection of digital information, including by making them proportionate to the national security risks.
The trans-Atlantic agreement was a top priority for the world’s biggest technology companies and thousands of other multinational businesses that rely on the free flow of data. The deal replaces an accord, known as Privacy Shield, which the European Union’s highest court invalidated in 2020 because it did not include enough privacy protections.
The lack of an agreement had created legal uncertainty. In May, a European privacy regulator pointed to the 2020 judgment when fining Meta €1.2 billion ($1.3 billion) and ordering it to stop sending information about Facebook users in the European Union to the United States. Meta, like many businesses, moves data from Europe to the United States, where it has its headquarters and many of its data centers.
Other European privacy regulators ruled that services provided by US companies, including Google Analytics and MailChimp, could violate Europeans’ privacy rights because they moved data through the United States.
The issue traces back to when Edward Snowden, a former US national security contractor, released details of how America’s foreign surveillance apparatus tapped into data stored by US tech and telecommunications companies. Under laws such as the Foreign Intelligence Surveillance Act, US intelligence agencies may seek access to data about international users from companies for national security purposes.
After the disclosure, an Austrian privacy activist, Max Schrems, began a legal challenge arguing that Facebook’s storage of his data in the United States violated his European privacy rights. The European Union’s top court agreed, striking down two previous trans-Atlantic data-sharing pacts.
On Monday, Schrems said he planned to sue again.
“Just announcing that something is ‘new,’ ‘robust’ or ‘effective’ does not cut it before the Court of Justice,” Schrems said in a statement, referring to the European Union’s top court. “We would need changes in US surveillance law to make this work — and we simply don’t have it.”
Members of the European Parliament criticized the agreement. The parliament had no direct role in the negotiations, but passed a nonbinding resolution in May that said the agreement failed to create adequate protection.
“The framework does not provide any meaningful safeguards against indiscriminate surveillance conducted by US intelligence agencies,” said Birgit Sippel, a European lawmaker from the Socialists and Democrats group who specializes in civil liberties issues. “This lack of protection leaves Europeans’ personal data vulnerable to mass surveillance, undermining their privacy rights.”
Reynders said people should wait to test the new policy in practice.
He said the new framework would establish a system through which Europeans could raise concerns with the US government. First, Europeans who suspect that a US intelligence agency is unfairly collecting their data must file a complaint with their national data protection regulator. After further review, authorities will take the matter to US officials in a process that could eventually reach the new review panel.
Raimondo said this month that the US Department of Justice had established that the European Union’s 27 countries would have access to the tools that allowed them to complain about abuses of their rights. She said the Office of the Director of National Intelligence had also confirmed that intelligence agencies added the safeguards established in Biden’s order.
“This represents the culmination of months of significant collaboration between the United States and the EU and reflects our shared commitment to facilitating data flows between our respective jurisdictions while protecting individual rights and personal data,” Raimondo said in a recent statement.