The USA has expressed its readiness to enter into a new agreement with the EU concerning the simplified transfer of personal data. The US Secretary of Commerce, Gina Raimondo, announced on Monday that the United States has fulfilled its commitments to implement the EU-US data protection framework. This agreement, which was announced in March 2022 by US President Joe Biden and EU Commission President Ursula von der Leyen, signifies the culmination of months of significant cooperation between the two sides. It reflects their shared commitment to facilitating data flows while respecting individual rights.
The need for a new agreement arose from the “Schrems II” ruling by the European Court of Justice in the summer of 2020. The court found that US laws, such as the Foreign Intelligence Surveillance Act and the Cloud Act, allowed for mass surveillance by agencies like the NSA. As a result, the Privacy Shield, which was the previous agreement governing data transfers, was invalidated. In response, both the US and EU assured the implementation of a new framework that includes improved data protection standards and increased privacy rights. President Biden’s Implementing Order 14086, issued in October 2022, requires US secret services to ensure that their data collections are “necessary and proportionate” and subject to better control. It also stipulates that legal remedies must be available to EU citizens.
On Friday, US Attorney General Merrick Garland declared the EU, along with Norway, Iceland, and Liechtenstein, as “qualified states” to implement the executive order. The US Intelligence Coordinator’s Office has confirmed that security agencies have adjusted their policies and procedures in accordance with the order. The EU Commission is now responsible for making an adequacy decision, which will determine whether personal data is adequately protected in the US as it is in the EU. US Secretary of Commerce Raimondo expressed confidence that the recent actions taken by the US will allow the Commission to move forward with passing the legislation.
However, not everyone is convinced of the adequacy of the new framework. The civil rights organization Noyb, founded by Max Schrems, argues that the third framework structurally resembles previous agreements that have been invalidated. They believe it is likely that the European Court of Justice will also declare this new agreement null and void. The internal affairs committee of the EU Parliament acknowledges some improvements but believes that there are still insufficient guarantees, particularly regarding protection against mass surveillance. EU data protection officials also have concerns.
In summary, the USA has fulfilled its commitments to implement a new data protection framework with the EU. However, there are differing opinions on the adequacy of the agreement, with some believing it may face challenges in the European Court of Justice. The final decision rests with the EU Commission, which must make an adequacy decision to determine the level of privacy protection in the US.
