News

U.S. and European Union Agree on a New Trans-Atlantic Data Privacy Framework

The Biden White House and the European Commission  have taken first steps in agreeing on a new "Trans-Atlantic Data Privacy Framework".

Once the agreement, which needs to be put into a legal document, is finalized, it then needs to be institutionalized with a court process to address complaints by EU residents about how their information gets processed by U.S.-based organizations. Processes that should take months to finalize.   

This U.S.-EU agreement will "enable predictable and trustworthy data flows between the EU and U.S., safeguarding privacy and civil liberties," contended Ursula von der Leyen, the European Commission's president, in a released statement.

Here's what the U.S. government agreed to under this new framework agreement, per the European Commission's announcement:

  • The United States will "strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities."
  • The United States will establish "a two-level independent redress mechanism with binding authority to direct remedial measures."
  • The United States will "ensure compliance with limitations on surveillance activities."

Privacy Shield Concerns Said To Be Addressed
The new agreement is said to address the EU's Court of Justice "concerns" about an earlier "Privacy Shield" data privacy and data processing agreement with the United States. Privacy Shield has been on hold since the court's "Schrems II decision of July 2020."

Schrems II is a reference to Austrian citizen Maximillian Schrems, who had filed two complaints about U.S.-based Facebook's processing of his personal information.

Back in 2020, the EU's Court of Justice had indicated (PDF) that under the Data Shield agreement, the personal data of EU residents would be processed according to U.S. laws. Such processing didn't meet the conditions of EU data privacy laws, specifically the EU's General Data Protection Regulation, the court had indicated. Moreover, there was no U.S. court process for EU "data subjects" to contest the U.S. processing of personal data.

The Privacy Shield agreement has been in limbo since that 2020 Schrems II decision. However, U.S. and European Commission officials are now signaling a breakthrough of sorts, although specific agreement details apparently weren't published.

Plaintiff Schrems expressed skepticism about the new agreement in a March 25 Twitter post, saying that it "seems we do another Privacy Shield, especially in one respect: Politics over law and fundamental rights." He predicted that this new agreement will "fail again."

The Privacy Shield agreement itself had been a reworked agreement. It emerged after the EU's European Court of Justice scrapped an earlier "Safe Harbor" framework for the trans-Atlantic processing of data back in October of 2015.

The new data privacy agreement, if viable, could grease the revenue skids for U.S.-based service provider companies eyeing EU markets. Trans-Atlantic data commerce represents "$7.1 trillion" in trade, according to Biden's statement.

The current U.S. government, though, may not be in a position to achieve the goals set by Shrems II, suggested Gary LaFever, general counsel and CEO of Anonos, a maker of privacy data enablement software, in a released statement:

The ruling that invalidated the Privacy Shield (Schrems II) requires that a ruling be guaranteed in U.S. law (not likely to happen with the current US Congress) or with technical supplemental measures recommended by the EDPB [European Data Protection Board] and by the EDPS [European Data Protection Supervisors] that enable ongoing data processing while safeguarding the fundamental rights of EU citizens to privacy. Currently, the agreement meets neither standard.

Microsoft Pledges Support
Microsoft on Friday announced support for the new Trans-Atlantic Data Privacy Framework, pledging to both embrace it and "go beyond it."

The company plans to address the framework in two ways, according to Julie Brill, Microsoft's corporate vice president for global privacy and regulatory affairs and chief privacy officer.

First, Microsoft plans to challenge U.S. government demands to access personal data when those demands do not comply with the Trans-Atlantic Data Privacy and Security Framework.

Second, Microsoft plans to "actively participate in the judicial review of an individual's claim of harm related to Microsoft's public sector and commercial cloud services." It'll also pay "monetary compensation" to its public sector and commercial customers if data were disclosed unlawfully following a government request.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft Sets September Launch for Purview Data Governance

    Microsoft's AI-powered Purview solution to address governance and security challenges is set to become generally available on Sept. 1.

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • End of the Road for Kaspersky in the United States

    Kaspersky on Monday said it is shuttering its U.S. operations, just days before a nationwide ban on sales of its security software was set to take effect.