European Union, US Agree Data-Sharing Pact

Tom Burroughes

11 July 2023

The European Union has agreed a new deal governing transatlantic data transfers after it said that the US has accepted an “adequate” level of protection over citizens’ information.

The agreement comes at US President Joe Biden embarked on his visit to European capitals this week.

The EU-US pact on data is designed, so its framers say, to ease worries about information transfers and concerns that the US takes a more hands-off view on privacy than its European counterparts tend to do.

While it has access to the EU Single Market, Switzerland is not covered by this agreement.

There’s a wealth management dimension to this; the protection of client privacy in a globalized world is implicit in how the sector operates. But, as controversies have shown, there can be conflict between governments’ demands to foil offshore tax evasion, and other offences, and the need to protect legitimate client privacy.

“The adequacy decision concludes that the United States ensures an adequate level of protection – compared to that of the EU – for personal data transferred from the EU to US companies participating in the EU-US Data Privacy Framework,” the European Commission said in a statement yesterday.

European Commission President Ursula von der Leyen yesterday was quoted saying that the EU’s executive adopted a so-called adequacy decision, allowing thousands of firms to safely ship data to the US without fear of violating EU privacy law – for the time being.

The US and EU have been in dispute about privacy in recent years. In 2020, the EU’s top court annulled the so-called Privacy Shield, the previous agreement regulating transatlantic data flows. Businesses, including private banks, wealth and asset managers, exchange information. There have been worries that legal frictions will hurt trade. Max Schrems, a privacy lobbyist, has been involved in EU court cases that ended up striking down the bloc’s previous transatlantic data flow decisions.

Adequacy
“The adequacy decision follows the US' signature of an executive order on "Enhancing Safeguards for United States Signals Intelligence Activities," which introduced new binding safeguards to address the points raised by the Court of Justice of the European Union in its Schrems II decision of July 2020,” the European Commission said. “Notably, the new obligations were geared to ensure that data can be accessed by US intelligence agencies only to the extent of what is necessary and proportionate, and to establish an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes,” it continued.

The Commission explained that an “adequacy decision” is one of the tools provided under the General Data Protection Regulation to transfer personal data from the EU to third countries which, in the assessment of the Commission, offer a comparable level of protection of personal data to that of the European Union.

The US government has set up a “redress mechanism” to handle complaints from people whose data has been transferred from the EU to the US. This also covers countries in the European Economic Area : EU countries and also Iceland, Liechtenstein and Norway. It does not cover Switzerland.