A deal to ensure that data from Meta, Google and scores of other tech companies can continue flowing between the United States and European Union was finalized on Monday, after the digital transfer of personal information between the two jurisdictions had been thrown into doubt because of privacy concerns.
The decision adopted by the European Commission is the final step in a yearslong process and resolves — at least for now — a dispute about American intelligence agencies’ ability to gain access to data about European Union residents. The debate pitted U.S. national security concerns against European privacy rights.
The accord, known as the E.U.-U.S. Data Privacy Framework, gives Europeans the ability to object when they believe their personal information has been collected improperly by American intelligence agencies. A new independent review body made up of American judges, called the Data Protection Review Court, will be created to hear such appeals.
Didier Reynders, the European commissioner who helped negotiate the agreement with the U.S. attorney general, Merrick B. Garland, and the commerce secretary, Gina Raimondo, called it a “robust solution.” The deal sets out more clearly when intelligence agencies are able to retrieve personal information about people in the European Union and also outlines how Europeans can appeal such collection, he said.
“It’s a real change,” Mr. Reynders said in an interview. “Protection is traveling with the data.”
President Biden issued an executive order laying the groundwork for the deal in October, requiring American intelligence officials to add more protections for the collection of digital information, including by making them proportionate to the national security risks.
The trans-Atlantic agreement was a top priority for the world’s biggest technology companies and thousands of other multinational businesses that rely on the free flow of data. The deal replaces a previous accord, known as Privacy Shield, which was invalidated in 2020 by the European Union’s highest court because it did not include enough privacy protections.
The lack of an agreement had created legal uncertainty. In May, a European privacy regulator pointed to the 2020 judgment when fining Meta 1.2 billion euros ($1.3 billion) and ordering it to stop sending information about Facebook users in the European Union to the United States. Meta, like many businesses, moves data from Europe to the United States, where it has its headquarters and many of its data centers.
Other European privacy regulators ruled that services provided by American companies, including Google Analytics and MailChimp, could violate Europeans’ privacy rights because they moved data through the United States.
The issue traces back to when Edward Snowden, a former U.S. national security contractor, released details of how America’s foreign surveillance apparatus tapped into data stored by American tech and telecommunications companies. Under laws such as the Foreign Intelligence Surveillance Act, U.S. intelligence agencies may seek to gain access to data about international users from companies for national security purposes.
After the disclosure, an Austrian privacy activist, Max Schrems, began a legal challenge arguing that Facebook’s storage of his data in the United States violated his European privacy rights. The European Union’s top court agreed, striking down two previous trans-Atlantic data-sharing pacts.
On Monday, Mr. Schrems said he planned to sue again.
“Just announcing that something is ‘new,’ ‘robust’ or ‘effective’ does not cut it before the Court of Justice,” Mr. Schrems said in a statement, referring to the European Union’s top court. “We would need changes in U.S. surveillance law to make this work — and we simply don’t have it.”
Max Schrems, an Austrian online privacy activist, founded the campaign group NOYB (None Of Your Business).Credit…Joe Klamar/Agence France-Presse — Getty Images
Members of the European Parliament criticized the agreement. The parliament had no direct role in the negotiations, but passed a nonbinding resolution in May that said the agreement failed to create adequate protection.
“The framework does not provide any meaningful safeguards against indiscriminate surveillance conducted by U.S. intelligence agencies,” said Birgit Sippel, a European lawmaker from the Socialists and Democrats group who specializes in civil liberties issues. “This lack of protection leaves Europeans’ personal data vulnerable to mass surveillance, undermining their privacy rights.”
Mr. Reynders said people should wait to test the new policy in practice.
He said the new framework would establish a system through which Europeans could raise concerns with the American government. First, Europeans who suspect that their data is being unfairly collected by an American intelligence agency must file a complaint with their national data protection regulator. After further review, authorities will take the matter to American officials in a process that could eventually reach the new review panel.
Ms. Raimondo said this month that the U.S. Department of Justice has established that countries within the 27-nation European Union would have access the tools that allow them to complain about abuses of their rights. She said the Office of the Director of National Intelligence has also confirmed that intelligence agencies added the safeguards established in Mr. Biden’s order.
“This represents the culmination of months of significant collaboration between the United States and the E.U. and reflects our shared commitment to facilitating data flows between our respective jurisdictions while protecting individual rights and personal data,” Ms. Raimondo said in a recent statement.