EC Says European Private Data Can Flow to Compliant US Companies

Sometimes being deemed adequate is effectively good enough when comes to data privacy policy.

On Monday, the European Commission (EC) announced it would act on the EU-US Data Privacy Framework, which met its criteria as “adequate. This allows personal data to be transferred from companies in the European Union to companies in the United States. The news caught the attention of the private sector and stakeholders, including the International Association of Privacy Professionals (IAPP) as well as BBB National Programs.

The commission stated its satisfaction with assurances of adequate personal data protections in United States that put the country’s policies on a par with European Union nations. That means US companies that comply with data protection safeguards under the new Biden Executive Order and certification from the US Department of Commerce can get access to personal data from EU member nations without the need to adhere to additional policies.

The Risk of Losing Data Access in Europe

The possibility of the European nations halting access to data became urgent in the spring, when Meta announced it could be cut off from data sources, thanks to regulators in Ireland. Meta stated it could also face a $1.3 billion fine for transfers of personal data from Europe to the US.

Monday’s announcement laid out that organizations that comply with the framework could continue operations with EU countries. Courtroom litigation and evolving regulations are part of the data privacy landscape, but the approval of the framework may be a sign of clearer policies and compliance standards ahead for companies.

“This has been a very challenging set of negotiations,” says Joe Jones, director of research and insights with IAPP.  “There are very sensitive issues relating to the surveillance and national security and the safeguards that non-US persons can get, so it’s very sensitive, it’s very complex for various constitutional and legal reasons.” He says that last spring, US President Joe Biden and EC President Ursula von der Leyen reached an agreement in principle on such matters, though more work was needed to produce a tangible framework. “We’ve sort of been in this tunnel of negotiations to get it over the line and that happened today, so today is the EU green light,” Jones says.

A Tangled Data Web

The complexity of how data moves around the globe, he says, makes the approval of the framework relevant to many other countries that might see information flow from Europe through their local resources before it winds up with US-based companies. “It’s a pretty big milestone for the transatlantic relationship and data digital tech,” Jones says. “It's also a big deal for the rest of the world. Data flows are not so Point A to Point B.”

This is particularly relevant to hyper cloud computing services, he says. The framework is also significant to how the intelligence community can operate. “In Europe, there’s a concept called necessity and proportionality for when governments can intervene with privacy rights,” Jones says, “and that you can only do so as necessary proportionate.”

That extends to how surveillance is gathered, he says, and how authorities can access data. “For various reasons, US national security and surveillance authorities have different limitations and the European court wanted to see limitations of necessity and proportionality.” This includes limits on accessing data and giving EU citizens the ability to claim redress where they think they were surveilled.

“That’s hard because the very nature of surveillance is it’s conducted secretively and so it’s hard to know one’s been surveilled without really knowing,” Jones says. “The EU court wanted the nature of that redress to be independent and binding on the authorities.”

What Comes Next for Data Compliance

The business community had been waiting for guidance on how data privacy policy might look in the EU, says Dona Fraser, senior vice president of privacy initiatives with BBB National Programs, a nonprofit that oversees national, industry self-regulation programs. With the former EU-US Privacy Shield rendered invalid in 2020 by the European Court of Justice, new policy was needed. Fraser says companies wanted to comply and be able to safely conduct business without worry of intervention or whether or not their consumers were being treated properly, but policy was in limbo.

The announcement about the new framework seems to have restored confidence in the program. “This week,” she says, “we’ve received an enormous amount of inquiries from current and past participants saying, ‘What's next, what do we do?’ The eagerness that we’re hearing in the marketplace is, for us, from a business perspective, it’s great to hear.”

Logistics of the framework and the approval process for businesses still need to be worked out, Fraser says, but now the door is open for companies that halted work with data from Europe to reemerge. “Over the years, we’ve also seen companies who did not have this mechanism -- a lot of small to medium-sized companies -- either shut their doors or really had to shift their business.” This included finding partners overseas who could handle data from Europeans on their behalf rather than transfer it to the US.

Fraser says BBB National Programs wants to see how the new framework looks in the real world. “What are the possibilities for us to help companies be compliant? What types of solutions are out there for us to help companies get back into doing business with their EU consumers?” she asks. Though Fraser does not anticipate drastic changes will be necessary, her organization is paying close attention to next steps to establish compliance. “I think about really getting our hands dirty on what the logistics of this looks like,” she says.

What to Read Next:

European Commission Wants Labels on AI-Generated Content -- Now

Meta Hit with Record $1.3B GDPR Fine

Meta Preps Possible Halt of EU Services Pending Data Ruling