A deal to ensure that data from Meta, Google and scores of other tech companies continues to flow between the United States and the European Union was finalized on Monday, after the digital transfer of personal information between the two jurisdictions was thrown into doubt over privacy concerns. worries
The decision adopted by the European Commission is the final step in a multi-year process and resolves — at least for now — a dispute over the ability of American intelligence agencies to gain access to data on residents of the European Union. The debate pitted US national security concerns against European privacy rights.
The accord, known as the EU-US Data Privacy Framework, gives Europeans the ability to object when they believe their personal information has been collected improperly by American intelligence agencies. A new independent review body made up of American judges, called the Data Protection Review Court, will be created to hear such appeals.
Didier Reynders, the European commissioner who helped negotiate the deal with the US attorney general, Merrick B. Garland, and the commerce secretary, Gina Raimondo, called it a “robust solution.” He said the agreement shows more clearly when secret agencies can take personal information about people in the European Union and also outlines how Europeans can appeal such collection.
“It’s a real change,” Mr. Reynders said in an interview. “Protection travels with the data.”
President Biden issued an executive order laying the groundwork for the deal in October, requiring US intelligence officials to add more protections for the collection of digital information, including making them commensurate with national security risks.
The trans-Atlantic deal has been a top priority for the world’s largest technology companies and thousands of other multinational businesses that depend on the free flow of data. The agreement replaces a previous agreement, known as the Privacy Shield, which was annulled in 2020 by the European Union’s highest court because it did not include enough privacy protections.
The lack of agreement created legal uncertainty. In May, a European privacy regulator pointed to the 2020 judgment when it fined Meta 1.2 billion euros ($1.3 billion) and ordered it to stop sending information about Facebook users in the European Union to the United States. Meta, like many businesses, moves data from Europe to the US, where it has its headquarters and many of its data centers.
Other European privacy regulators have ruled that services provided by US companies, including Google Analytics and MailChimp, could violate the privacy rights of Europeans because they moved data across the US.
The issue dates back to when Edward Snowden, a former US national security contractor, released details of how America’s foreign surveillance apparatus exploited data stored by US technology and telecommunications companies. Under laws such as the Foreign Intelligence Surveillance Act, US intelligence agencies can seek to gain access to data about companies’ international users for national security purposes.
After the disclosure, an Austrian privacy activist, Max Schrems, launched a legal challenge arguing that Facebook’s storage of his data in the United States violated his European privacy rights. The European Union’s highest court agreed, striking down two previous transatlantic data pacts.
On Monday, Mr. Schrems said he planned to sue again.
“Just announcing that something is ‘new,’ ‘robust’ or ‘effective’ doesn’t cut it in front of the Court,” Mr. Schrems said in a statement, referring to the European Union’s top court. “We would need changes in the US surveillance law to make this work – and we just don’t have it.”
Members of the European Parliament criticized the agreement. Parliament had no direct role in the negotiations, but passed a non-binding resolution in May that said the agreement did not create adequate protection.
“The framework does not provide any meaningful safeguards against indiscriminate surveillance by US intelligence agencies,” said Birgit Sippel, a European lawmaker from the Socialists and Democrats group who specializes in civil liberties issues. “This lack of protection leaves Europeans’ personal data vulnerable to mass surveillance, undermining their privacy rights.”
Mr. Reynders said people should wait to test the new policy in practice.
He said the new framework would establish a system through which Europeans could raise concerns with the US government. First, Europeans who suspect that their data is being unfairly collected by a US intelligence agency must file a complaint with their national data protection regulator. After further review, authorities will take the matter to US officials in a process that could eventually reach the new review panel.
Ms. Raimondo said this month that the US Department of Justice had established that countries within the 27-nation European Union would have access to the tools that allow them to complain about abuses of their rights. She said the Office of the Director of National Intelligence also confirmed that intelligence agencies had added the safeguards established in Mr. Biden’s order.
“This represents the culmination of months of important cooperation between the US and the EU and reflects our shared commitment to facilitate data flows between our respective jurisdictions while protecting individual rights and personal data,” Ms. Raimondo said in a recent statement.