The “EU-U.S. Data Privacy Framework” came into force on July 11, 2023, a new data protection agreement between the EU and the U.S. designed to facilitate data transfers from European to American companies. It replaces the previous “Safe Harbor” and “Privacy Shield” agreements, which were declared invalid by the ECJ (European Court of Justice). These agreements govern the conditions under which personal data of EU citizens can be transferred to the US.
This new agreement forms the basis for an adequacy decision by the EU Commission, which means that the Commission finds that the U.S. provides an adequate level of data protection. Companies can therefore transfer data to the US and use American cloud services without having to take further protective measures. However, this is only the case if the U.S. company concerned has a valid certification in accordance with the “EU-U.S. Data Privacy Framework”.
The key points of the new agreement include restrictions on access to personal data by U.S. intelligence services, as well as legal remedies for EU citizens against the collection and use of their data by these services. A new court, the Data Protection Review Court (DPRC), will be established to review complaints and order binding remedies. There will also be periodic reviews to ensure that the terms of the agreement are being followed.
It remains unclear whether the agreement will actually improve data protection.
Although the agreement has been hailed as an important step in data protection, it has also drawn criticism. Privacy activist Max Schrems has already announced he will file a lawsuit against the new agreement. It remains unclear whether the agreement will actually improve data protection, and whether it will be upheld by the ECJ.
“Safe Harbor” and “Privacy Shield” already failed
“Safe Harbor” and “Privacy Shield” were data protection agreements between the European Union (EU) and the United States (US) designed to regulate the transfer of personal data between the two regions.
“Safe Harbor” was the first of these agreements and was introduced in 2000. It established a framework under which U.S. companies were allowed to receive and process personal data from the EU. However, “Safe Harbor” was declared invalid by the European Court of Justice (ECJ) in 2015. The ruling stemmed from a lawsuit filed by Austrian privacy activist Max Schrems. He argued that the agreement did not adequately protect the data privacy of EU citizens, especially in light of Edward Snowden’s revelations about the extent of surveillance by U.S. intelligence agencies.
In response to the cancellation of Safe Harbor, the Privacy Shield agreement was introduced in 2016. It included additional safeguards and controls to address privacy concerns. However, this agreement was also declared invalid by the ECJ in 2020, again due to a lawsuit filed by Schrems. The court ruled that the Privacy Shield did not sufficiently protect European citizens’ data from access by the U.S. government.
Both agreements ultimately failed because, according to the ECJ, they did not sufficiently guarantee EU citizens’ data protection, particularly with regard to access to their data by U.S. authorities and intelligence agencies. These rulings have meant that data transfer between the EU and the US remains a complex and contentious issue.