US offers concessions on surveillance and privacy as EU and US agree successor to Privacy Shield
The European Union and the US have reached a high-level settlement to enable transatlantic information sharing underneath a deal that guarantees higher privacy rights for EU residents and stronger oversight of US intelligence gathering.
President Joe Biden and Ursula von der Leyen, president of the European Commission, introduced that the EU and the US had reached settlement on a successor to the Privacy Shield information sharing settlement, dominated illegal in July 2020 by an EU court docket.
The White House mentioned the US agreed to increase its oversight of US alerts intelligence, strengthen civil liberties safeguards, and create a brand new binding authorized mechanism that may give EU residents rights of redress in the event that they imagine their information has been abused.
The Trans-Atlantic Data Privacy Framework guarantees an finish to practically two years of authorized uncertainty, notably for small and medium-sized corporations which largely relied on Privacy Shield as their sole authorized foundation for sharing information between Europe and the US.
But questions stay whether or not any deal will absolutely meet considerations raised by the European Court of Justice over EU residents’ rights of redress within the US if their privacy is violated if, as is probably going, the brand new settlement is topic to a authorized problem within the European Court of Justice.
Biden instructed a press convention that the EU and the US had reached a “major breakthrough” after the US agreed to “unprecedented protections for data privacy and security”.
“This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and the United States and help companies both small and large compete in the digital economy,” he mentioned.
The deal would enable the European Commission to authorise information flows that assist to facilitate $7.1tn in financial relationships with the EU.
Ursula von der Leyen mentioned the settlement would safeguard privacy and civil liberties whereas enabling “predictable and trustworthy” information flows between the EU and the US.
The choice was welcomed by Big Tech corporations. Nick Clegg, president of worldwide affairs at Facebook proprietor, Meta, which is topic to an imminent choice by the Irish Data Protection Commissioner on the legality of its EU-US information transfers, mentioned the choice supplied a lot wanted certainty.
“With concern growing about the global internet fragmenting, this agreement will help keep people connected and services running. It will provide invaluable certainty for American and European companies of all sizes, including Meta, who rely on transferring data quickly and safely,” he wrote on Twitter.
The Computer & Communications Industry Association, which represents Amazon, Google, Facebook, and different giant tech corporations, mentioned that the settlement would profit worldwide corporations.
“We trust that a new framework will restore legal certainty for businesses and stronger safeguards for users,” mentioned CCIA director Alexandre Roure in a statement.
Data Protection Review Court
The White House mentioned {that a} new information sharing framework would give EU residents the appropriate of redress in the event that they imagine their privacy has been compromised, by an unbiased Data Protection Review Court staffed by non-government officers.
The US additionally gave assurances that alerts intelligence assortment would solely be “undertaken where necessary to advance legitimate national security interests” and wouldn’t “disproportionately” affect people’ privacy rights and civil liberties.
US intelligence businesses “will adopt procedures to ensure effective oversight of new privacy and civil liberties standards,” in accordance to a White House briefing.
The headline settlement follows greater than a 12 months of detailed negotiations between US and EU officers.
The White House mentioned that organisations that sign-up to the brand new framework could be anticipated to adjust to the rules of Privacy Shield. As with Privacy Shield, they are going to be ready to self-certify their compliance with the brand new framework by the US Department of Commerce.
The US mentioned that EU residents would have entry to “multiple avenues of recourse” to resolve complaints about US organisations’ use of their information. This would come with different dispute decision and binding arbitration.
Biden will introduce authorized measures required within the US to implement the settlement by an Executive Order, which will likely be assessed by the European Commission earlier than it makes a knowledge adequacy choice concerning the US.
Legal problem doubtless
It is unclear whether or not the concessions made by the US will likely be sufficient to forestall an additional authorized problem over the lawfulness of EU-US information sharing, following selections by the European Court to strike out Privacy Shield in 2020 and its predecessor, Safe Harbour in 2015.
Both instances have been introduced by the Austrian activist lawyer, Max Schrems, who mentioned that that he would take any new settlement that doesn’t adjust to EU legislation again to the European Court of Justice inside months of it being finalised.
“The final text will need more time, once this arrives we will analyse it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision,” he mentioned
Regulatory enforcement
The finalisation of an settlement will finish greater than 18 months of authorized uncertainty for US and EU organisations that share information.
Within a 12 months of the choice to strike down Privacy Shield, in what grew to become identified as the Schrems II case, some companies have been selecting to localise information or cease information transfers altogether.
There has additionally been a rise in regulatory enforcement in opposition to companies, which has made it harder to switch information abroad, mentioned Caitlin Fennessy, vp and chief data officer of the International Association of Privacy Professionals (IAPP).
“Enforcement has escalated, narrowing companies’ compliance options, and increasing the risks and challenges associated with transferring data. This has led to increased interest in data localisation and made some EU companies question the legality of working with long-standing foreign partners,” she instructed Computer Weekly.
EU and US officers, the intelligence group, and politicians, have been negotiating a substitute for Privacy Shield since 2020.
Over the previous three months, EU commissioner Didier Reynders and US secretary for commerce Gina M. Raimondo, have led more detailed talks.
EU and US negotiators will now hammer out the tremendous particulars of the settlement, which would require the approval of EU member states.
Small and medium-sized corporations
Thomas Boué, director normal, for coverage for Europe at BSA, a software program commerce group, instructed Computer Weekly {that a} revised Privacy Shield would have vital advantages for small and medium-sized corporations.
Currently companies are required to use authorized agreements, identified as Standard Contractual Clauses (SCCs), which require complicated negotiations and adjustments to contracts to be put in place, he mentioned.
“Privacy Shield is a much easier way to transfer data as there is an agreement between the EU and the US that their data protection is equivalent, so there is no need for accredited companies to take further steps,” he mentioned.
IAPP’s Fennessy instructed Computer Weekly that she anticipated the substitute Privacy Shield framework to be examined by regulators and the courts “almost immediately”. But she mentioned the EU and the US had an curiosity in negotiating an enduring settlement.
“US and EU negotiators certainly recognised this and share individuals’ and businesses’ interest in a durable framework. While we have not seen the details, we know that this deal was not hammered out overnight,” she mentioned.
Guillaume Couneson, information safety associate at world legislation agency Linklaters in Brussels, mentioned the flexibility to switch private information throughout the Atlantic by a brand new Privacy Shield settlement would increase financial progress.
“For companies with a presence in both the EU and the US, the possibility to transfer personal data safely across the Atlantic and in compliance with applicable data protection rules is business critical,” he mentioned.
