Von der Leyen and US President Joe Biden announced an agreement in principle on data protection issues in spring 2022.
(Photo: dpa)
Brussels The EU Commission has declared data protection in the USA to be equivalent. The authority is thus creating a new legal basis for companies that want to send data from EU citizens to America.
It is a major breakthrough for companies on both sides of the Atlantic. The legal situation has been uncertain since the European Court of Justice (ECJ) declared the European-American data agreement “Privacy Shield” to be illegal in 2020.
The new “Data Privacy Framework” is solid and meets all the conditions of the ECJ, said EU Justice Commissioner Didier Reynders on Monday in Brussels. The binding rules limit US intelligence agencies’ access to Europeans’ data to what is “necessary and appropriate”. There is also now an effective way for European citizens to sue violations in the US.
The Commission’s so-called equivalence decision follows years of bilateral negotiations over how the US could meet European data protection requirements. US President Joe Biden and EU Commission President Ursula von der Leyen announced an agreement in principle in March 2022. This was followed by many rounds on the legal details.
Last week, the Biden government finally announced that it had implemented all the steps agreed with the Europeans in US law. This paved the way for the Commission to now recognize data protection as equivalent in the US.
Business associations welcomed the Commission’s decision. The president of the digital association Bitkom, Ralf Wintergerst, said that a “three-year stalemate” was coming to an end. In principle, companies were given legal certainty again if they had to transfer personal data between the EU and the USA.
Max Schrems announces lawsuit against the agreement
However, the new regulation would certainly be reviewed again by the courts. “There it will be seen whether the EU legislator has found a legally resilient regulation with the Data Privacy Framework,” said Wintergerst.
Data protection activist Max Schrems immediately announced a new lawsuit on Monday. “They say the definition of insanity is doing the same thing over and over again and expecting a different result,” he said.
The Austrian has already brought down two transatlantic data agreements. In 2015, after a Schrems lawsuit, the European Court of Justice overturned the “Safe Harbor” agreement, followed in 2020 by the successor “Privacy Shield”.
Schrems wrote on Twitter that the new agreement was “largely a copy of old principles”. The US government continues to believe that only American citizens have constitutionally protected fundamental rights. The US and the EU also have different understandings of what is “proportionate” when it comes to data collection.
Commission: The situation now is different from 2015 and 2020
The Commission was confident that this time the agreement would be legally sound. A Commission official said that one had learned from Schrems’ previous lawsuits which criteria were important to the judges. The situation is therefore now fundamentally different than before the two court decisions. If there is another lawsuit, the question will be whether the court’s conditions have been met, the official said. From his point of view, the key requirements are “fully met”.
The decision should also have consequences for the Facebook group Meta. In May, the Irish data protection authority fined the tech company €1.2 billion for failing to adequately protect the data of European users from access by US intelligence agencies.
Meta had announced an appeal against this decision. The EU Commission official said the Irish data protection authority will now have to take into account the Commission’s equivalence decision and reassess the situation.
More: Like Meta, EU companies also face high penalties