- The approval this week by the European Union to a data transfer deal with the United States removes a big liability risk from companies that do business across the Atlantic.
- The Trans-Atlantic Data Privacy Framework, approved July 10, allows companies that collect data on EU residents to maintain the data on U.S. servers without risking violation of the General Data Protection Regulation.
- “Hopefully [this] puts an end to legal uncertainty for thousands of American companies,” Lartease Tiffith, executive vice president for public policy of the Interactive Advertising Bureau, said in a statement.
Facebook parent Meta is the highest profile company to be ensnared in data transfer problems between the U.S. and Europe.
The company was fined $1.3 billion in May for collecting and storing data on Europeans on its U.S. servers. It’s the kind of thing thousands of companies, big and small, do every day as a way to operate with cost efficiencies they couldn’t get by maintaining server facilities of the same scale in Europe.
“This is not about one company’s privacy practices,” Jennifer Newstead, Meta’s chief legal officer, said after the fine was imposed. “There is a fundamental conflict of law between the U.S. government’s rules on access to data and European privacy rights.”
The company was on the hook to either delete the data or send it to the EU for storage on servers there, but it can keep the data on its U.S. servers now that the agreement is passed.
“We welcome the new Data Privacy Framework, which will safeguard the goods [and] services relied on by people and businesses on both sides of the Atlantic,” Nick Clegg, Meta president for global affairs, said in a statement.
The company wants to get the $1.3 billion fine removed and said it would appeal the ruling that imposed the fine, but getting the money back despite the agreement isn’t a forgone conclusion, The Wall Street Journal reported.
Data transfer problems have been causing risk headaches for U.S. companies for years, largely because of the way the federal government monitors data flows on national security grounds, a practice that was kept in the dark until it was exposed in 2013 by whistleblower Edward Snowden.
Earlier agreements between the EU and U.S. were shot down in European courts on the grounds the data surveillance violated the right of Europeans to know how their data is being used and have it removed if they request it.
Under this latest agreement, the U.S. has agreed to limit data surveillance to the minimum necessary for security purposes and it’s creating a governing body, called the Data Protection Review Court, that will field European requests to have data removed, although the requests have to go through other processes before they get heard by the court.
President Biden initiated the process to create the data protection court and take other steps to meet EU concerns last year in an executive order, signaling to the EU the federal government was making the data transfer agreement a priority.
Critics say this latest agreement will get knocked down in court like the others, but supporters say the steps the U.S. has taken have a good chance of standing up to challenges.
"There has been significant reform to U.S. law and practices when it comes to surveillance safeguards,” said Joe Jones, director of research and insights for the International Association of Privacy Professionals, Politico reported. “This is not a reheating of the framework that was [previously] struck down.”
But there remain many critics to the deal in Europe and plans are already underway to challenge it in court.
“The framework does not provide any meaningful safeguards against indiscriminate surveillance conducted by U.S. intelligence agencies,” said Birgit Sippel, a European lawmaker from the Socialists and Democrats group who specializes in civil liberties issues, The New York Times reported. “This lack of protection leaves Europeans’ personal data vulnerable to mass surveillance, undermining their privacy rights.”
For now, though, companies face reduced risk from their data management practices as long as they conform their processes to what the U.S. and EU agreed to.
The U.S. Department of Commerce is the agency handling the matter and details on conforming practices to the agreement are expected to be added to the department’s Privacy Shield resources.