Big Tech Can Transfer Europeans' Data To US In Win For Facebook and Google

An anonymous reader quotes a report from Ars Technica: The European Commission today decided it is safe for personal data to be transferred from the European Union to US-based companies, handing a victory to firms like Facebook and Google despite protests from privacy advocates who worry about US government surveillance. The commission announced that it "adopted its adequacy decision for the EU-US Data Privacy Framework," concluding "that the United States ensures an adequate level of protection -- comparable to that of the European Union -- for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards."

In May, Facebook-owner Meta was fined 1.2 billion euros for violating the General Data Protection Regulation (GDPR) with transfers of personal data to the United States and was ordered to stop storing European Union user data in the US within six months. But Meta said at the time that if the pending data-transfer pact "comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users." The data-transfer deal "is expected to face a legal challenge from European privacy advocates, who have long said that the US needs to make substantial changes to surveillance laws," a Wall Street Journal report said today. "Transfers of data from Europe to the US have been in question since an EU court ruled in 2020 that a previous deal allowing trans-Atlantic data flows was illegal because the US didn't give EU individuals an effective way to challenge surveillance of their data by the US government."

The EC's announcement said the new framework has "binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access." The new court "will be able to order the deletion" of data that is found to have been collected in violation of the new rules. The framework will be administered and monitored by the US Department of Commerce and the "US Federal Trade Commission will enforce US companies' compliance," the EC announcement said. EU residents who challenge data collection will have free access to "independent dispute resolution mechanisms and an arbitration panel." US companies can join the EU-US framework "by committing to comply with a detailed set of privacy obligations, for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties," the European Commission said. The latest deal is expected to get challenged, according to the WSJ. European Parliament member Birgit Sippel, who is in Germany's Social Democratic Party, said the "framework does not provide any meaningful safeguards against indiscriminate surveillance conducted by US intelligence agencies," according to The New York Times.

The Computer & Communications Industry Association, which represents major tech companies like Amazon, Apple, Google and Meta, said: "Today's decision means that EU and US businesses will soon have full legal certainty again to transfer personal data across the Atlantic... Data flows are vital to transatlantic trade and the EU-US economic relationship, which is worth 5.5 trillion euros per year. Nevertheless, the two economies had been left without guidelines for data transfers after an EU Court ruling invalidated the previous framework back in 2020."

Oh That's Good News

[Your Anus]

I was worried there when that report came out detailing the abuse by government agencies of intelligence data. I guess it's all hunky dory now!

Re:

[Frank Burly]

That is the nice thing about Five Eyes. The Brits don't care that I'm growing pot and the NSA doesn't care that Jan Jakob Jingleheimer collects Nazi odds and ends. Now they can practice that benign indifference in bulk.

Re:

[Rujiel]

It's the incriminating things that are meant to be gathered "in bulk" What is benign about the NSA's spying on everyone?

So much for EU privacy rules!

[oldgraybeard]

US Big tech corps are running the show both in the EU and the US.

Money talks

[wakeboarder]

You can bet that FANG has been gunning hard for this, and apparently the EU can be bought out.

Re:

[Pinky's Brain]

They'd rather Section 702 and Cloud Act went away ... they are only one leak away from getting utterly fucked. It's pretty clear they are violating the GDPR all over the place regardless where they process the data.

Every server from an US company anywhere in the world is under US jurisdiction and every non US citizen is a suspected terrorist.

Re:

[higuita]

don't worry, every US citizen is also a suspected terrorist for the British, Canadian and Australian, that in turn can casually share all that info with the US agencies, as they must do off country backups of that data in US servers

Re:

[AmiMoJo]

It seems like the EU has won a major victory here. The US has agreed to set up a special court for EU citizens to use, for free. The EU will monitor it to ensure that it meets GDPR levels of protection.

This establishes a legal framework that EU citizens can use to force US companies to delete their data.

In return the EU loses nothing. No watering down of privacy protections for EU citizens, only a considerable gain over previously difficult to regulate overseas data.

Makes life easier for EU tech startups

[kaur]

Real privacy considerations, governmental abuse and politics aside - this is good news for countless small companies and startups.

Say your HR or marketing or accounting department wants to start using Bamboo or Expensify or Zoom or Travelperk or Segment or any other US-based SaaS solution. The discussion in EU companies now goes like this.
- HR: "We found this great solution and want to use it. Friends use this and they are happy."
- Security guy *checking*: "They have ISO and SOC and secure APIs and SSO, loo

Re:

[oldgraybeard]

"ACLU" not likely! The ACLU of today is a bunch of lawyers running a non-profit political progressive attack operation. It is not the same group I used to donate to.

Re:

[higuita]

just do what many companies do, have their US servers and EU servers, problem solved!
instead of big setup in the US, 2 smaller setups in US AND EU
Many already do that for redundancy, just need 2 different master DBs

Soon in court

[manu0601]

This has been judged illegal two times by European Union Court of Justice. It will just take time to happen another time.

Re:Soon in court

[HBI]

What was the point of GDPR if not to shield people in the EU from US government surveillance and commercial misuse of their data in the US?

With this, might as well not have bothered. We know the US carries on warrantless surveillance, and the privacy protections in the US are not commensurate with EU regulation.

Re:

[sarren1901]

It's not about US government but US business. EU governments WANT the US to spy on their people just like US government wants UK and company to spy on us. Then they share the data back and forth. No rules broken!

Re:

[HBI]

You'd think someone would bring this up in court, that's the kind of thing a judge would find themselves having reasonable jurisdiction over.

Re:

[test321]

What was the point of GDPR if not to shield people in the EU from US government surveillance and commercial misuse of their data in the US?

The point is to shield people in EU from *commercial* surveillance without consent. Government surveillance through intelligence services is only covered in the sense that it is another legitimate reason that does not need individual consent. GDPR did not create a right to opt-out from the government surveillance of an EU member state.

Re:

[HBI]

It created the requirement to keep commercial data in the EU or another state that had commensurate privacy protections. This becomes important when dealing with multinational firms. If you did business with Amazon, that data under the basic GDPR scheme was required to stay in the EU and not be transmitted to the US for the US government to scrape. The concept is "data nationality".

EU commision and the media are full of shit

[Pinky's Brain]

This isn't even about the money. The EU governments just want the US to have warrantless surveillance on EU citizens, so the US can share the intelligence with EU nations constrained by their own laws.

Re:

[gweihir]

Yep, probably. And that is illegal. It will get stopped again though. Fucking politicos.

Re:

[higuita]

Sure... how about whatsapp? instagram? how many stupid people^W^W kids will do that and survive for a week? TikTok is now enough for those people, you know!!

Time for Max Schrems to stop that

[gweihir]

Again. It really is just criminal politicians on both sides ignoring the law.