The European Commission has adopted a successor to the Privacy Shield data transfer treaty. The EU-US Data Privacy Framework should allow data from European citizens to be stored in the US. New in the treaty are guarantees about security in the US.
The European Commission adopted the treaty, which now allows American tech companies to store data of European citizens in the US. That is what the Privacy Shield Treaty used to be for, but it was declared illegal by the European Court of Justice in July 2020. Since then, Europe and the United States have been working on a successor, which now exists with the Data Privacy Framework.
The Data Privacy Framework must solve the problems that the Court saw in Privacy Shield. This mainly concerns the protection of data on American servers. The biggest problem with Privacy Shield was that US intelligence services could access the stored data under certain conditions. This has been resolved since October last year by an executive order that President Joe Biden signed. The order ‘Enhancing Safeguards for United States Signals Intelligence Activities’ sets limits on what intelligence services are allowed to collect and increases supervision of those intelligence services.
The Data Privacy Framework contains a number of safeguards that the US and specifically the intelligence services must adhere to. In the event of complaints, citizens no longer have to prove that their data was collected in the first place. This means that citizens can file objections in Europe and do not have to do so in the US. This can be done via the European Data Protection Board, the European umbrella organization of privacy regulators. The framework also states which legal process must be followed in that case. The treaty enters into force this week. After a year, the European Commission will investigate whether this is still up to date and whether any changes or improvements to the treaty are necessary.
The new treaty marks a new, important step in the long legal battle between Europe and privacy activist Max Schrems. He has been fighting against data transfers with his noyb foundation for several years. It was his case that ultimately shut down Privacy Shield. Schrems says in a comment disagree with the new treaty. He thinks that this will be returned to the European Court ‘within a few months’. Schrems calls the Data Privacy Framework ‘largely a copy of the failed Privacy Shield’. There would be “little change in US law or the EU’s approach” to the treaty.