This week, the EU and U.S. negotiated a Data Privacy Framework that would permit the safe and compliant transfer of data from the EU to the U.S. This resolution is a boon to Meta and other tech giants, whose use of massive amounts of user data is pervasive. Yet, there is the danger that privacy advocates may take legal action due to their dissatisfaction with the level of defense afforded to Europeans.
Following a landmark agreement between the U.S. and European Union, businesses can still transfer data between the two superpowers as they had previously. This pact, which supersedes the one nullified last year, is of great importance to American tech organizations which store and process data belonging to EU citizens. In the absence of the agreement, these corporations could have been forced to pay for expensive setups to deal with the data locally or have to withdraw their services from the bloc. This new agreement, then, provides a reprieve for U.S. corporations that transmit huge amounts of user information around the globe. Nonetheless, there have been objections raised by privacy advocates who deem the framework to be akin to the revoked Privacy Shield. CNBC takes a detailed look into the new arrangement, assessing its significance and prospects.
The European Commission unveiled the EU-U.S. Data Privacy Framework on Monday to enhance the safety of data exchanged between the two entities. By recognizing that U.S. data protection legislation provides a satisfactory level of security for EU citizens, it proposes further safeguards to minimize access to European information by U.S. intelligence services, so that it will only be obtained if deemed to be necessary and reasonable. Furthermore, a Data Protection Review Court is planned to be set up in order for Europeans to call for deletion of their data should it be found to violate the new regulations.
The Data Privacy Framework was created to replace the Privacy Shield, which enabled companies to move and store Europeans' data in the U.S. The replacement was spurred by a ruling from the European Court of Justice in July 2020, after Austrian privacy campaigner Max Schrems argued that the U.S. did not provide adequate protection against state surveillance due to Edward Snowden's exposé of the NSA. Schrems targeted Facebook, whose data-sharing activities with the U.S. were regulated by the Irish Data Protection Commission, in his complaint. In 2015, the same court had invalidated the Safe Harbour Agreement as it did not sufficiently protect the data of European citizens.
The Privacy Shield was abolished, leaving companies to resort to Standard Contractual Clauses (SCCs) as an alternate solution for transatlantic data transfers. However, even this option is now facing risk; the Irish DPC found that Meta's use of SCCs for personal data transfers to the U.S. was breaching the GDPR, leading to a record-breaking fine of $1.3 billion.
Multinationals have to figure out how to move customer data across boundaries securely and in compliance with data protection regulations. Tech giants like Amazon, Google, and Meta regularly share data on European customers to U.S.-based sites. While this is an accepted practice, it has recently come under intense criticism from observers who see it as an encroachment on privacy rights.
Tech companies use customer data to create personalized advertisements and recommendations, which hasn't gone unscathed; the Cambridge Analytica scandal was an example of data being misused. Europe has set forth strict GDPR rules in order to safeguard user data, while the U.S. is still working on implementing a single federal data protection law. Currently, individual U.S. states have individual safeguards, with California leading the way.
Clifford Chance partner Holger Lutz noted that U.S. law, along with the new framework, have been expanded to support EU citizens’ data protection rights. The framework, as well as other mechanisms such as the EU standard contractual clauses, are in place outside the framework to protect Europe-U.S. transfers.
The new data privacy framework having been accepted guarantees businesses security in the way they can manage data across boundaries in the future. Had there not been a consensus, several corporations might have had to terminate their activities in Europe. Meta openly voiced this fear already in February 2022. Nonetheless, there are still confronting issues. Schrems, the Austrian privacy activist that led to the termination of Privacy Shield, has announced his intention to file a lawsuit in order to nullify the new data-sharing agreement.
In a statement, Schrems declared that his law firm Noyb had "various options for a challenge already in the drawer." He stated that they anticipate bringing the matter before the Court of Justice by early next year. He further added that the Court of Justice could suspend the new deal while reviewing its substance in the pursuit of legal clarity and the rule of law. Privacy activists argued that the measures were inadequate as U.S. privacy laws do not provide safeguards to non-U.S. citizens, thus leaving people in the EU exposed to a lower degree of protection. Lutz of Clifford Chance informed CNBC that the success of the framework will rely on if the European courts deem the U.S. safeguards for personal data to meet the EU standards of protection. Businesses will be assessing the possible challenges in their planning scenarios with vigilance.
top of page
bottom of page
Comments