An agreement to ensure that data from Meta, Google and several other companies can continue to flow between the United States and the European Union was completed on Monday, following the digital transfer of personal information between the two jurisdictions. is questionable due to privacy concerns.
The decision adopted by the European Commission is the final step in a year-long process and resolves — at least for now — a dispute over the ability of American intelligence agencies to gain access to data about European residents. Union. The debate pitted US national security concerns against European privacy rights.
The agreement, known as the EU-US Data Privacy Framework, gives Europeans the ability to object when they believe their personal information has been improperly collected by American intelligence agencies. An independent review body made up of American judges, called the Data Protection Review Court, will be created to hear such appeals.
Didier Reynders, the European commissioner who helped negotiate the deal with the US attorney general, Merrick B. Garland, and Commerce Secretary Gina Raimondo, called it a “solid solution.” The deal sets out more clearly when intelligence agencies can obtain personal information about people in the European Union and outlines how Europeans can appeal such collection, he said.
“This is a real change,” Mr. Reynders said in an interview. “Protection travels with data.”
President Biden issued an executive order laying the groundwork for the deal in October, requiring American intelligence officials to add more protections for collecting digital information, including making them proportionate to national security risks.
The trans-Atlantic agreement is a top priority for the world’s largest technology companies and thousands of other multinational businesses that rely on the free flow of data. The deal replaces an agreement known as the Privacy Shield, which was invalidated by the European Union’s highest court in 2020 because it did not include enough privacy protections.
The lack of an agreement created legal uncertainty. In May, the European privacy regulator pointed to the 2020 ruling when it fined Meta 1.2 billion euros ($1.3 billion) and ordered it to stop sending information about Facebook users in the European Union to the United States. Meta, like many businesses, moves data from Europe to the United States, where it has its headquarters and many of its data centers.
Other European privacy regulators have ruled that services provided by American companies, including Google Analytics and MailChimp, may violate the privacy rights of Europeans because they transfer data through the United States.
The issue resurfaced when Edward Snowden, a former US national security contractor, released details of how America’s foreign surveillance apparatus tapped into data stored by American tech and telecommunications companies. Under laws such as the Foreign Intelligence Surveillance Act, US intelligence agencies can seek access to data about international users from companies for national security purposes.
After the disclosure, an Austrian privacy activist, Max Schrems, began a legal challenge arguing that Facebook’s storage of his data in the United States violated his European privacy rights. The European Union’s top court agreed, striking down two previous trans-Atlantic data-sharing agreements.
On Monday, Mr. Schrems said he planned to sue again.
“Just announcing that something is ‘new,’ ‘robust’ or ‘effective’ doesn’t cut it in front of the Court of Justice,” said Mr. Schrems in a statement, referring to the highest court of the European Union. “We need changes to US surveillance laws to do this — and we don’t have them.”
Members of the European Parliament criticized the agreement. Parliament had no direct role in the negotiations, but passed a non-binding resolution in May that said the agreement failed to create adequate protection.
“The framework does not provide any significant safeguards against indiscriminate surveillance carried out by US intelligence agencies,” said Birgit Sippel, a European lawmaker from the Socialists and Democrats group who specializes in civil liberties issues. “This lack of protection leaves Europeans’ personal data vulnerable to mass surveillance, undermining their privacy rights.”
Mr. Reynders said people should wait to test the new policy in practice.
He said the new framework would establish a system through which Europeans could raise concerns with the American government. First, Europeans who suspect that an American intelligence agency is unfairly collecting their data must file a complaint with their national data protection regulator. After further review, authorities will take the matter to American officials in a process that could lead to a new review panel.
said Ms. Raimondo this month that the US Department of Justice established that the 27 countries of the European Union will have access to tools that allow them to complain about abuses of their rights. He said the Office of the Director of National Intelligence had also confirmed that intelligence agencies had added safeguards established at Mr. Biden’s order.
“This represents the culmination of months of meaningful cooperation between the United States and the EU and reflects our shared commitment to facilitating data flows between our respective jurisdictions while protecting individual rights and personal data ,” said Ms. Raimondo in a recent statement.
