The movement of knowledge between the EU and the US raises privateness considerations and enterprise uncertainty
A new EU-US data transfers deal has alarmed businesses and privacy advocates.
The pact, known as the EU-US Data Privacy Framework, was announced by the European Commission on Monday. The EU executive concluded that the US offered an “adequate level of protection” for data transfers under the new agreements.
The framework replaces the Privacy Shield, which the EU’s Supreme Court overturned in July 2020 over concerns that the US did not offer adequate protections from government surveillance.
As a result, organizations have been forced to move data using a mechanism called Standard Contractual Clauses (SCC), which can be tedious to manage. As Meta recently learned, the lawsuit could also have costly consequences.
The <3 of EU technology
The latest rumors from the EU tech scene, a story of our wise founder Boris and questionable AI art. It’s in your inbox for free every week. Join Now!
In June, the Facebook owner was fined €1.2 billion for misusing personal data under the Standard Contractual Clauses – a record fine for a breach of the GDPR. Meta called the verdict “unjustified and unnecessary”.
Under the new framework, companies have been given hope for clearer and simpler data flows for companies. The agreement also introduces new safeguards, including a new privacy review court and restricted access to EU data by US intelligence agencies.
However, critics say that the new regulations do not offer enough security. They note that the Fourth Amendment still does not apply to EU citizens, which under existing American legislation would protect them from US government espionage.
“[The framework] “Limits US espionage services to what is ‘necessary and proportionate,’ but that’s no consolation to EU citizens who recall similar promises under the Safe Harbor and Privacy Shield,” said Paul Bischoff, consumer protection officer at Cybersecurity site Comparitech.
Another cause for concern is the possibility of further changes. Privacy activist Max Schrems, who previously challenged US-EU data-sharing agreements, has already threatened legal action against the new framework.
As a result, companies now have to adapt to yet another set of rules, which could also be reversed.
“The fact that the agreement has already been successfully challenged twice means there is a real risk that it will be voided again, leaving the companies in the dark as to where to proceed,” said Cory Munchbach, CEO of Customer Data platforms BlueConic.
The challenge of Schrems and his non-profit data protection organization, Night (None of your business) could see the framework repealed within a few years.
David Dumont, Attorney at Hunton Andrews Kurthwho specializes in EU data protection law, warns that companies need reassurance that they can rely on the new rules.
“If the new adequacy decision were again rejected by the EU’s Court of Justice, organizations could lose confidence in the feasibility of a successful EU-US data transfer framework and rely on EU Standard Contractual Clauses as the sole and only permanent solution to legitimize data transfers to the.” states.”