The framework introduces “safeguards” to address all concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services.
Ursula von der Leyen, president of the EU Commission said: The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic.
“Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework.
“Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values.
“It shows that by working together, we can address the most complex issues.”
Drew Bagley, VP and counsel, privacy and cyber policy at CrowdStrike believes that the act is a positive development in the mission to protect individuals and organisations on both sides of the Atlantic against cyber threats.
“Modern IT infrastructure, cybersecurity and privacy compliance programs are dependent upon global data flows.
“Data localisation is not a substitute for data protection, and the new Framework stands in sharp contrast to some policy and certification proposals that mistakenly prioritize localising data over protecting would-be victims from breaches.
This, Bagley adds, marks an opportunity to accelerate the G7’s Data Free Flow with Trust initiative and ensure defenders have the tools they need to defend against cyber-attacks.
Opposition
However, data privacy activists have slammed the decision and will challenge the ruling in court.
Austrian-based non-profit group None of Your Business (NOYB) led by Max Schrems has launched an attack on the ruling, noting that the framework is “not based on material changes, but by political interests”.
"We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong,” he said.
“We currently expect this to be back at the Court of Justice by the beginning of next year.
“For the sake of legal certainty and the rule of law we will then get an answer if the Commission's tiny improvements were enough or not.
“For the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal - we seem to just add another two years of this ping-pong now."
