(Bloomberg) -- European Union regulators took a big step toward ending the legal limbo that imperiled transatlantic data flows worth billions of dollars and sparked threats of an EU withdrawal from social network giant Meta Platforms Inc.
The US now ensures an “adequate level” of data protection, the European Commission said as it unveiled proposals to replace a previous accord that was torpedoed by the EU’s top court on privacy concerns.
The step follows months of negotiations with the US, which yielded an executive order by President Joe Biden and US pledges to ensure that EU citizens’ data is safe once it’s shipped across the Atlantic. The new pact still needs the approval by EU lawmakers and a panel of EU privacy watchdogs.
“US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations,” such as to delete data that’s no longer needed, the commission said in a statement. US promises will ensure EU citizens’ defense rights, but will also limit access to data by US security agencies or other public authorities, the commission said.
The EU’s top court in 2020 toppled the bloc’s previous deal, over concerns that citizens’ data wasn’t safe from the prying eyes of US agencies when it was transferred from Europe. The so-called Privacy Shield had widely been hailed as providing the necessary protections, after EU judges stuck down the first such accord. The court ruling plunged whole swathes of the EU-US economy into a legal limbo, with firms clamoring to find legally watertight alternatives.
EU-US negotiators were forced back to the drawing board and the prospect of no deal led Meta, Facebook’s owner, to say it may have no choice but to pull its Facebook and Instagram services from the EU.
A breakthrough was reached earlier this year and the legal changes the US committed to this time represent a “fundamental shift” from what was in place before and “really target” concerns laid out by the EU court, a US government official said last month.
Privacy campaigner Max Schrems has been behind two EU court cases that ended up striking down the bloc’s previous data flow decisions. Schrems said in a statement through his group Noyb on Monday that “the changes in US law seem rather minimal.”
“We will analyze the draft decision in detail the next days,” said Schrems. “As the draft decision is based on the known executive order, I can’t see how this would survive a challenge” and “it seems that the European Commission just issues similar decisions over and over again — in flagrant breach of our fundamental rights.”
It’s widely expected the new pact will also face a court challenge.
“Of course we will have a challenge before the Court of Justice, I’m sure of that,” EU Justice Commissioner Didier Reynders said at an event on Monday. “I’m quite confident” that the new decision will be upheld in court, because “we’re very far, in a very robust system.”
The EU’s decision will now be analyzed by the European Data Protection Board, the body consisting of the bloc’s national privacy watchdogs and enforcers, and by the European Parliament. The commission has said that if all goes smoothly, the new EU-US Data Privacy Framework could be finalized in the first half of next year.