The US is complying with a key framework that regulates how thousands of tech companies share information across the Atlantic, an initial review has found — but opponents complain the European Commission is marking its own homework.
The US is complying with a key framework that regulates how thousands of tech companies share information across the Atlantic, an initial review has found — but opponents complain the European Commission is marking its own homework.
The US is complying with a key privacy framework required to ensure Europeans’ data isn’t misused when sent overseas, the European Commission concluded in a report published on Wednesday.
The EU-US data privacy framework regulates transatlantic data flows for thousands of companies – but privacy advocates worry it’s full of loopholes.
“The US authorities have put in place the necessary structures and procedures to ensure that the data privacy framework functions effectively,” the Commission concluded in its review of the deal, specifically praising the set-up of a US oversight authority.
Over 2,800 US companies are currently certified under the deal, allowing them to exchange data more easily and cheaply, the report said.
The framework was introduced in 2023 after the EU’s highest court struck down two previous data-sharing arrangements, known as the privacy shield and safe harbour decisions.
One year on, the Commission, alongside the European Data Protection Board (EDPB), national data protection authorities, and representatives of various US government departments, assessed its implementation.
The new framework was intended to address judges’ concerns that the collection of European citizens’ private data by US companies and intelligence services was disproportionate.
But critics remain sceptical.
“The United States is not adhering to what it promised the Commission,” Philippe Latombe, a former member of the French data protection authority (CNIL) and a former MP, told Euronews.
He pointed to the US Foreign Intelligence Surveillance Act (FISA), which was supposed to be abandoned but was instead renewed last spring, and which allows US intelligence to collect data from American platforms and applications such as Teams, Cisco, and WebEx. “The Commission knows this, acknowledges it, yet it fails to draw conclusions from its own findings,” Latombe added.
The Commission’s report acknowledges FISA and concludes that future mitigation measures could be introduced.
NOYB, an activist group focused on online privacy, has also expressed frustration with a report which it says constitutes the Commission marking its own homework.
“We’ve lost count of the positive reports published by the Commission in recent years. Despite them, the [EU] Court of Justice has consistently found massive violations. It’s like a student claiming to have done everything perfectly, when in fact, they are bound to fail,” NOYB told Euronews.
Latombe has already initiated legal action against the EU-US framework, and NOYB has also indicated its intention to challenge the deal.
The industry is more positive.
The Business Software Alliance, a lobby group representing major software manufacturers, welcomed the report, saying they “are pleased to see confirmation that US authorities have successfully put in place all the necessary elements to support the framework’s data protection standards.”
According to the International Association of Privacy Professionals (IAPP), the report is “welcome news for organisations seeking predictability in this area”.
“It also confirms that adequacy remains a strategic priority for the European Commission in its support for data flows on the global stage,” IAPP added.
The framework is next due to be assessed in three years’ time.