Brussels — The EU officially unveiled on Monday a data transfer pact between itself and the United States to end legal uncertainty for thousands of companies that transfer Europeans’ personal information across the Atlantic for services ranging from cloud infrastructure to payroll services. This agreement seeks to reassure multinationals they can safely move data despite concerns over electronic spying by the National Security Agency; furthermore it allows European citizens multiple avenues for redress, according to the Commission.
The data transfer pact marks Brussels’ third attempt to find an acceptable arrangement for personal data to flow between Europe and the US, after two previous agreements were invalidated by Europe’s highest court over concerns related to alleged National Security Agency surveillance of Europeans’ private information. Failing to reach an agreement could force companies to cease operations within EU or cease transfers altogether – potentially hurting GDP growth and jobs creation.
Establishment of an independent Data Protection Review Court will create a new redress mechanism, hearing complaints by Europeans about data being transferred to the United States. European data protection authorities can take enforcement actions if they believe companies have breached the new framework while the redress court may order suspension or deletion of transfers by certain firms of personal data.
Data flows between the EU and US are essential for both economic growth and social progress, given their respective roles as attractive investment markets for European firms. A recent study estimated that without cross-Atlantic transfers the global economy would suffer by losing an estimated annual $1 trillion; to restore trust to this exchange pact’s redress court and binding safeguards.
But the new pact faces immediate obstacles: non-profit privacy and digital rights group noyb, led by Austrian privacy activist Max Schrems, has already stated its intentions of challenging it before the European Court of Justice (CJEU), noting its changes seem minimal, insufficiently addressing concerns over bulk surveillance activities conducted by NSA and failing to adequately address concerns over bulk surveillance activities conducted by US spying services like NSA.
Holger Lutz of Clifford Chance law firm agrees, noting that although redress and binding safeguards are beneficial, they fall short in providing essential equivalence that European courts require when assessing compliance of data transfer agreements with European laws. He notes that although the Redress Court will certainly add value in adjudicating complaints effectively or suspend or delete transfers.
EU Justice Commissioner Didier Reynders stated on Monday that he anticipates the European Redress Court will be established by 2023. Reynders noted that for it to function effectively, changes need to be made in U.S. surveillance laws to address issues raised by Europe’s top court.