European Commission takes step toward approving EU-US data privacy pact

The EU-US Data Privacy Framework—drafted to allow the flow of data between the US and the European Union—has cleared the first hurdle on its way to approval in the EU, but criticism of the pact makes it far from a done deal.

European Union, EU
Etienne Ansotte/EU

The European Commission announced Tuesday that is has officially begun the process of approving the EU-US Data Privacy Framework—hammered together to allow the flow of data between the US and the European Union—after concluding that the framework provides privacy safeguards comparable to those of the EU.

After President Biden signed the executive order that implemented rules for the Trans-Atlantic Data Policy Framework in the US in October, the Commission conducted an assessment into the US legal framework that the bill was based upon. That assessment, released Tuesday, says that the legislation ensures an adequate level of protection for personal data transferred from the EU to US companies.

Now, the draft adequacy decision has been transmitted to the European Data Protection Board (EDPB) for its opinion.

Once the EDPB has given its approval, the Commission must then seek approval from a committee comprising representatives from EU member states, as well as the European Parliament, which has a right of scrutiny over adequacy decisions. Only then can the Commission proceed with formally adopting the legislation.

If passed, the framework will mean US companies will have to agree to comply with a detailed set of privacy regulations, including the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. The regulations essentially are supposed to ensure that data flow between the US and EU adheres to the EU's GDPR privacy regulations.

Additionally, EU citizens will benefit from several redress avenues if their personal data is handled in violation of the framework and will have the possibility to obtain redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court.

In comments posted alongside the announcement, the Commission’s vice president for values and transparency, Věra Jourová, said that the proposed framework will further improve the safety of personal data transferred from Europe to the US, building on the good progress the two parties have made over the years.

“The future framework is also good for businesses, and it will strengthen Transatlantic cooperation,” she said. “As democracies, we need to stand up for fundamental rights, including data protection. This is necessity, not a luxury in the increasingly digitalised and data driven economy.”

The new Trans-Atlantic Data Policy Framework is meant to replace old agreements including the Privacy Shield agreement, which was shut down by the European Court of Justice on grounds that the US doesn’t provide adequate protection for personal data, particularly in relation to state surveillance.

The new framework, though, also has critics, who say that the agreement does not ensure that US security forces will refrain from accessing EU citizens' data once it has been transferred to the US.

Even if the EU does ratify the framework despite the criticism, it will not likey be approved until spring 2023 at the earliest.

Copyright © 2022 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon