New EU deal legalizes transatlantic data transfers once again

European flags

In 2020, an EU court decided that a deal allowing for data transfers of user data across the Atlantic was illegal. But on Monday, the European Union approved a new plan to continue allowing the data of EU citizens to be stored by tech companies within the United States.

The European Commission adopted an "adequacy decision" for the Trans-Atlantic Data Privacy Framework, concluding that the US does ensure an adequate level of protection to transferred data that's "comparable to that of the European Union."

The framework includes binding safeguards to address concerns raised by the European Court of Justice, such as limiting access to EU data by US intelligence services to "what is necessary and proportionate." It also establishes a Data Protection Review Court that EU citizens can access, and other improvements that the previous Privacy Shield framework failed to offer.

That court was formed as part of a President Biden executive order in 2022, reports the Wall Street Journal.

"The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic." said EC President Ursula von der Leyen in a statement. "Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework."

US-based companies can join the framework by committing to a list of privacy obligations, such as deleting personal data when it's no longer needed for the purpose for which it was collected in the first place.

The adoption of the framework puts in place a way for US-based tech companies to continue operating with trans-Atlantic data transfers, without needing to resort to appeasing EU data privacy rules by investing more heavily in EU-specific infrastructure, for example.

The change will be useful for companies like Meta, which was slapped with a 1.2 billion euro ($1.3 billion) fine from the European Union in May over its ruled-illegal data transfers. While the deal means Facebook won't necessarily need to make considerable changes to how it handles data, it is still expected to pay the fine.

Meta, Facebook's parent company, is appealing the fine.

Though the new framework will be beneficial to tech giants, it is likely that it will face legal challenges from privacy advocates in the United States who may still be against the prospect of the data transfers.