American companies will be able to continue storing their users' data on servers based in the United States, according to the decision recently announced by the European Union.
“The United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to U.S. companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to U.S. companies participating in the Framework, without having to put in place additional data protection safeguards,” the European Commission noted in a statement on Monday.
The action is based on the U.S.-EU Data Privacy Framework, which the two sides agreed on in March last year, following negotiations between European Justice Commissioner Didier Reynders and U.S. Commerce Secretary Gina Raimondo.
President Joe Biden signed an executive order on “Enhancing Safeguards for United States Signals Intelligence Activities” in October, which was complemented by regulations issued by Attorney General Merrick Garland.
The Biden administration introduced two new policies to ensure the safety of the stored data:
- The agreement limits access to EU data by U.S. intelligence services to what is necessary
- It establishes a Data Protection Review Court (DPRC) in the U.S., to which EU individuals will have access, and which can impose various remedial measures
“Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the U.S., and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues,” European Commission President Ursula Von der Leyen said in the announcement.
While the EU will periodically review the functioning of the Framework in collaboration with U.S. authorities, the first meeting is scheduled to take place within a year to verify that all elements have been fully implemented in the U.S. legal system and are applied in practice.
The protection of your personal data is a fundamental right.— European Commission (@EU_Commission) July 10, 2023
After intense cooperation with our US partners, we are adopting a new EU-US Data Privacy Framework for safe and trusted EU-US data flows.
This will ensure an adequate level of data protection for EU citizens and bring… pic.twitter.com/p5YprgtbpY
What Are the Differences Between U.S. and EU Data Privacy Laws?
The U.S.-EU data privacy dispute revolved around the transfer of personal data between the EU and the U.S. The issues stemmed mainly from differences in data protection regulations and concerns over the privacy rights of European citizens when their data is transferred overseas.
The main point of contention was the disparity in privacy standards.
The EU already had a strict data protection framework governed by the General Data Protection Regulation (GDPR), which grants individuals control over their personal data and requires companies to meet tight data protection requirements.
On the other hand, the U.S. follows a more fragmented approach to data protection, with various laws and regulations in place at both federal and state levels.
This disparity led to the invalidation of the EU-U.S. Privacy Shield framework by the European Court of Justice (ECJ) in July 2020.
At the time, the ECJ ruled that the Privacy Shield didn’t provide adequate protection for European citizens' data when transferred to the U.S. due to concerns over Washington’s surveillance practices.
In recent years, companies mostly relied on alternative legal mechanisms, such as Standard Contractual Clauses (SCCs), to facilitate data transfers.
However, this has caused many problems in practice.
Nearly two months ago, the European Commission fined Facebook parent Meta Platforms a record-breaking $1.3 billion after it found that Facebook's practice of moving EU user data to U.S. servers violated the bloc's privacy laws.
Brussels ordered Meta to delete the data it had stored on its U.S. servers if the tech giant didn't find a legal way to keep that information by the coming fall.
However, yesterday’s agreement might allow Meta to avoid the need to delete any data while paying the fine, according to The Wall Street Journal.