Data Privacy Framework Agreed to by U.S. and EU
A new "Trans-Atlantic Data Privacy Framework" was agreed to "in principle," as announced on Friday by the European Commission and the Biden White House.
The agreement isn't in effect right now, as it still needs to get put into legal documents, a process that can take "months," according to a Reuters story, citing an unnamed European Union (EU) official. The agreement also needs to be institutionalized with a court process to address complaints by EU residents about how their information gets processed by U.S.-based organizations.
However, this U.S.-EU agreement will "enable predictable and trustworthy data flows between the EU and U.S., safeguarding privacy and civil liberties," contended Ursula von der Leyen, the European Commission's president, in a released statement.
Here's what the U.S. government agreed to under this new framework agreement, per the European Commission's announcement:
- The United States will "strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities."
- The United States will establish "a two-level independent redress mechanism with binding authority to direct remedial measures."
- The United States will "ensure compliance with limitations on surveillance activities."
Privacy Shield Concerns Said To Be Addressed
The new agreement is said to address the EU's Court of Justice "concerns" about an earlier "Privacy Shield" data privacy and data processing agreement with the United States. Privacy Shield has been on hold since the court's "Schrems II decision of July 2020."
Schrems II is a reference to Austrian citizen Maximillian Schrems, who had filed two complaints about U.S.-based Facebook's processing of his personal information.
Back in 2020, the EU's Court of Justice had indicated (PDF) that under the Data Shield agreement, the personal data of EU residents would be processed according to U.S. laws. Such processing didn't meet the conditions of EU data privacy laws, specifically the EU's General Data Protection Regulation, the court had indicated. Moreover, there was no U.S. court process for EU "data subjects" to contest the U.S. processing of personal data.
The Privacy Shield agreement has been in limbo since that 2020 Schrems II decision. However, U.S. and European Commission officials are now signaling a breakthrough of sorts, although specific agreement details apparently weren't published.
Plaintiff Schrems expressed skepticism about the new agreement in a March 25 Twitter post, saying that it "seems we do another Privacy Shield, especially in one respect: Politics over law and fundamental rights." He predicted that this new agreement will "fail again."
The Privacy Shield agreement itself had been a reworked agreement. It emerged after the EU's European Court of Justice scrapped an earlier "Safe Harbor" framework for the trans-Atlantic processing of data back in October of 2015.
The new data privacy agreement, if viable, could grease the revenue skids for U.S.-based service provider companies eyeing EU markets. Trans-Atlantic data commerce represents "$7.1 trillion" in trade, according to Biden's statement.
The current U.S. government, though, may not be in a position to achieve the goals set by Shrems II, suggested Gary LaFever, general counsel and CEO of Anonos, a maker of privacy data enablement software, in a released statement:
The ruling that invalidated the Privacy Shield (Schrems II) requires that a ruling be guaranteed in U.S. law (not likely to happen with the current US Congress) or with technical supplemental measures recommended by the EDPB [European Data Protection Board] and by the EDPS [European Data Protection Supervisors] that enable ongoing data processing while safeguarding the fundamental rights of EU citizens to privacy. Currently, the agreement meets neither standard.
Microsoft Pledges Support
Microsoft on Friday announced support for the new Trans-Atlantic Data Privacy Framework, pledging to both embrace it and "go beyond it."
The company plans to address the framework in two ways, according to Julie Brill, Microsoft's corporate vice president for global privacy and regulatory affairs and chief privacy officer.
First, Microsoft plans to challenge U.S. government demands to access personal data when those demands do not comply with the Trans-Atlantic Data Privacy and Security Framework.
Second, Microsoft plans to "actively participate in the judicial review of an individual's claim of harm related to Microsoft's public sector and commercial cloud services." It'll also pay "monetary compensation" to its public sector and commercial customers if data were disclosed unlawfully following a government request.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.