EU agrees to reopen data transfers to the US, legal challenges imminent

The new EU-US Data Privacy Framework looks a lot like the old Privacy Shield, says privacy advocate Max Schrems

The European Commission (EC) has approved an agreement with the United States, which paves the way for data transfers between the US and EU to be reopened.

The decision, effective from today, July 11, is the latest attempt by the EU and the US to address privacy and surveillance issues in the transfer of data concerning their citizens. It follows the collapse of the Privacy Shield in 2020 and before that the invalidation of the Safe Harbour arrangement in 2015.

The EC said that the new agreement, known as the EU-US Data Privacy Framework (DPF), recognises that the US ensures an adequate level of protection for personal data, comparable to that of the EU.

A deciding factor in today's decision was the executive order signed by President Biden in October 2022, which introduced new safeguards aimed at resolving the issues that led to the collapse of Privacy Shield.

The executive order included limitations on US intelligence agencies' access to EU citizens' data, allowing access only to what is necessary and proportionate. The establishment of a new US Data Protection Review Court (DPRC), which would hear cases of European citizens concerned about use of their data.

The new agreement allows European individuals to object if they suspect that their data has been collected by US intelligence.

The announcement follows that of the UK-US Data Bridge agreement in June.

EC president Ursula von der Leyen said in a statement: "Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values."

However, the agreement has already faced criticism from privacy advocates. Max Schrems, the Austrian lawyer who played a pivotal role in invalidating the previous data transfer frameworks, who is head of advocacy group None of Your Business (noyb), said: "Just like Privacy Shield, the latest agreement is not based on material changes, but on short-term political thinking."

Schrems claimed there are few significant differences between DPF and Privacy Shield. He argued that the new DPRC fails to adequately address privacy violations and is bound by the same limitations as the previous Privacy Shield ombudsman. Schrems also expressed reservations about the use of the term "proportionate" concerning US intelligence's access to EU citizen data, an issue that was initially raised in October when the DPF's terms were agreed by Biden and von der Leyen.

A major bone of contention is FISA Section 702, which permits warrantless targeted surveillance of non-US citizens and was at the heart of the previous disputes. Biden recently pushed for renewal of this law.

Noyb is planning potential legal action in the European Court of Justice (ECJ) once companies begin utilising the DPF in the coming months. Nyob says a challenge could be filed by the end of 2023 or early 2024, potentially leading to the suspension of the DPF until the proceedings are concluded.

In the meantime, however, the decision will provide some welcome clarity for businesses.

Sridhar Iyengar, managing director of Zoho Europe, welcomed the DPF announcement.

"Data is a central business tool across many sectors so it is encouraging to see the EU and US collaborating to further enhance its benefits," he said.

"For the full benefits and potential of data to be realised, ensuring a safe and ethical approach to the collection, storage and use of personal data is essential for businesses. It is great to see data regulation on the radar of many governments around the world and while this is a good starting point, organisations should create their own data policies that are transparent and safeguard customers.

"Customers are increasingly aware of how their data is used and to maintain trust and a good customer experience, ensuring ethical use is critical."