The European Commission yesterday approved the new bilateral data transfer treaty with the United States, which must allow non-European companies to send data from EU citizens to their servers in the United States with guarantees of privacy protection. Brussels and Washington trust that this agreement will be the final resolution of a conflict that opened eight years ago, when the Court of Justice of the European Union (CJEU) overturned the first of the pacts, which was followed by another that also be annulled by justice in 2020.
The president of the European Commission, Ursula von der Leyen, assured that the new treaty, called the Transatlantic Data Privacy Framework, constitutes “an important step to give citizens confidence that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values”.
Von der Leyen reached an agreement with US President Joe Biden in March 2022. The CJEU had annulled the two previous pacts, the Safe Harbor (2000) and Privacy Shield (2016), because the The US has a Foreign Intelligence Surveillance Act (FISA), which ensures that only a judge can authorize government agencies to access the data of US citizens, but not in the case of foreigners.
According to the European president, in compliance with the new treaty, the United States “has launched unprecedented commitments to establish the new framework”. Among these new safeguards is that Europeans can appeal to a data protection review tribunal if they believe their privacy has been breached.
The transatlantic flow of data is essential for the operation of numerous companies, not only technological ones, in a volume of intercontinental trade that is valued at 900,000 million euros. The judicial annulment of the treaties has kept many of these data in legal limbo. Meta, for example, was fined 1.2 billion euros by the Irish data privacy authority last May. This explains why its new platform that aims to replace Twitter, Threads, has not yet been established in Europe.
The main complainant of the pacts is the Austrian Max Schrems, who announced yesterday that he will bring the new treaty before the CJEU because he considers it practically a copy of the previous one. “They say the definition of insanity is doing the same thing over and over and expecting a different result. Like the Privacy Shield, the latest agreement is not based on material changes, but on political interests”, he stated. His organization, called noyb (in lowercase, an English acronym for ‘none of your business’), noted that the US has not changed its law, “which means that only people in the United States continue to have constitutional rights and they cannot be subject to surveillance without a court order”.
Alexandre Roure, director of public policy at the Brussels office of the Computer and Communications Industry Association, whose members include Apple, Google and Meta, noted yesterday that companies “ they finally have the certainty of a durable legal framework that allows personal data to be transferred from the EU to the United States”.
