> Here’s something new: After two data protection agreements between Europeans and Americans have already failed, they are now making a third attempt. A prominent critic remains skeptical.
>
»EU-US Data Privacy Framework«: This is the name of another international data protection agreement between the EU and the USA . The EU Commission announced on Monday that it had passed a so-called adequacy decision. What is meant by this is a political determination that a third country offers an appropriate level of protection for personal data that EU companies transfer there that is comparable to the General Data Protection Regulation (GDPR). In this case, it is – again – about the USA.
>
According to a press release from the EU Commission, the data package that has now come into force as a result of the decision introduces new and binding guarantees in order to dispel all the concerns expressed by the European Court of Justice . For example, access by US secret services to EU data is limited to what is necessary and proportionate.
>
**New court to watch over EU data**
>
In addition, a special court is to be set up to which EU citizens have access and which will check compliance with data protection measures. If that court finds that data was collected in violation of the new guidelines, it could order the deletion of the data, emphasizes the EU Commission. US companies could join the compact by committing to comply with a range of data protection obligations.
>
EU Commission President Ursula von der Leyen said the new agreement will ensure secure data traffic for Europeans and offer companies on both sides of the Atlantic legal certainty. In addition to the EU members, Norway, Liechtenstein and Iceland are also involved in the agreement with the Americans.
>
**The previous agreement failed with a bang**
>
The »Transatlantic Data Privacy Framework« is a successor solution to an agreement called »Privacy Shield«, which was overturned by the European Court of Justice (ECJ) in 2020 . With a view to the access options of the US authorities, the requirements for data protection are not guaranteed, the judges decided at the time. The legal protection for those affected was also insufficient.
>
The verdict was the result of years of litigation. The data protection activist Max Schrems had originally complained to the Irish data protection authority that Facebook Ireland forwarded its data to the parent company in the USA, although this data was not adequately secured there against US surveillance programs. As early as 2015, Schrems filed a lawsuit invalidating the transnational “Safe Harbor” agreement between the USA and the EU.
>
Schrems, who has since co-founded the civil rights organization noyb, commented on the agreement: »They say the definition of insanity is doing the same thing over and over again and expecting a different result. (…) We now had ‘harbors’, ‘umbrellas’, ‘shields’ and ‘frameworks’ – but no substantial change in US surveillance law.« The current press releases are almost a verbatim copy of those from 23 years ago. “The mere assertion that something is ‘new’, ‘robust’ or ‘effective’ is not sufficient before the Court,” says Schrems. “We needed a change in US surveillance law and there isn’t one.”
>
Ralf Wintergerst, President of the tech industry association Bitkom, on the other hand, said that the “Data Privacy Framework” was the end of “a three-year stalemate”: “Companies will fundamentally regain legal certainty if they have to transfer personal data between the EU and the USA .” However, Wintergerst also emphasized that it is foreseeable “that the new regulation that has now been found will be reviewed again by the courts”: “There it will be seen whether the EU legislator has found a legally resilient regulation with the ‘Data Privacy Framework’ .«
1 comment
> Here’s something new: After two data protection agreements between Europeans and Americans have already failed, they are now making a third attempt. A prominent critic remains skeptical.
>
»EU-US Data Privacy Framework«: This is the name of another international data protection agreement between the EU and the USA . The EU Commission announced on Monday that it had passed a so-called adequacy decision. What is meant by this is a political determination that a third country offers an appropriate level of protection for personal data that EU companies transfer there that is comparable to the General Data Protection Regulation (GDPR). In this case, it is – again – about the USA.
>
According to a press release from the EU Commission, the data package that has now come into force as a result of the decision introduces new and binding guarantees in order to dispel all the concerns expressed by the European Court of Justice . For example, access by US secret services to EU data is limited to what is necessary and proportionate.
>
**New court to watch over EU data**
>
In addition, a special court is to be set up to which EU citizens have access and which will check compliance with data protection measures. If that court finds that data was collected in violation of the new guidelines, it could order the deletion of the data, emphasizes the EU Commission. US companies could join the compact by committing to comply with a range of data protection obligations.
>
EU Commission President Ursula von der Leyen said the new agreement will ensure secure data traffic for Europeans and offer companies on both sides of the Atlantic legal certainty. In addition to the EU members, Norway, Liechtenstein and Iceland are also involved in the agreement with the Americans.
>
**The previous agreement failed with a bang**
>
The »Transatlantic Data Privacy Framework« is a successor solution to an agreement called »Privacy Shield«, which was overturned by the European Court of Justice (ECJ) in 2020 . With a view to the access options of the US authorities, the requirements for data protection are not guaranteed, the judges decided at the time. The legal protection for those affected was also insufficient.
>
The verdict was the result of years of litigation. The data protection activist Max Schrems had originally complained to the Irish data protection authority that Facebook Ireland forwarded its data to the parent company in the USA, although this data was not adequately secured there against US surveillance programs. As early as 2015, Schrems filed a lawsuit invalidating the transnational “Safe Harbor” agreement between the USA and the EU.
>
Schrems, who has since co-founded the civil rights organization noyb, commented on the agreement: »They say the definition of insanity is doing the same thing over and over again and expecting a different result. (…) We now had ‘harbors’, ‘umbrellas’, ‘shields’ and ‘frameworks’ – but no substantial change in US surveillance law.« The current press releases are almost a verbatim copy of those from 23 years ago. “The mere assertion that something is ‘new’, ‘robust’ or ‘effective’ is not sufficient before the Court,” says Schrems. “We needed a change in US surveillance law and there isn’t one.”
>
Ralf Wintergerst, President of the tech industry association Bitkom, on the other hand, said that the “Data Privacy Framework” was the end of “a three-year stalemate”: “Companies will fundamentally regain legal certainty if they have to transfer personal data between the EU and the USA .” However, Wintergerst also emphasized that it is foreseeable “that the new regulation that has now been found will be reviewed again by the courts”: “There it will be seen whether the EU legislator has found a legally resilient regulation with the ‘Data Privacy Framework’ .«