The EU has a step towards ensuring its citizens have better protection from prying eyes in the US, with both parties agreeing to regulations that safeguard “transatlantic data flows.” In practice, this could mean American companies such as Meta being obliged to delete European citizens’ data instead of holding onto it indefinitely.
Announcing the mutual decision regarding the new set of regulations, EU governing body the European Commission (EC) said: “US companies will be able to join the EU-US Data Privacy Framework by committing to comply with a detailed set of privacy obligations.”
It added this would include a “requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.”
Commenting on whether the new regulations will be mandatory or not, an EC spokesperson told Cybernews: “US companies will be able to certify their participation in the EU-US Data Privacy Framework by committing to comply with a detailed set of privacy obligations.”
These obligations would include “purpose limitation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties.”
In addition, the proposed framework would allow EU citizens to “benefit from several redress avenues” if their personal data is handled in violation of the new measures, including access to free dispute resolution and arbitration services.
The agreement follows a European Court of Justice ruling on a data privacy case in 2020, known as Schrems II, which decided that the existing exchange arrangements between the US and EU were no longer valid, and the subsequent signing of a US Executive Order by President Joe Biden in October this year.
“The US legal framework provides for a number of limitations and safeguards regarding the access to data by US public authorities, in particular for criminal law enforcement and national security purposes,” said the EC.
The proposal is in draft and due to be reviewed by the European Data Protection Board, after which the EC will seek approval from EU member states.
“In addition, the European Parliament has a right of scrutiny over adequacy decisions,” said the EC. “Once this procedure is completed, the commission can proceed to adopting the final decision.”
It added that the framework would be periodically reviewed by both the US and EU, with the first of these to take place within a year of the measure entering into law “to verify whether all relevant elements of the US legal framework have been fully implemented and are functioning effectively in practice.”
The proposed measure takes its cue from the landmark General Data Protection Regulation published in 2016, which grants the EC power to legally enforce guarantees that countries outside the EU offer its citizens the same level of data protection as they enjoy within its borders.
“The effect [...] is that personal data can flow freely from the EU, and Norway, Liechtenstein, and Iceland, to a third country without further obstacles,” said the EC.
More from Cybernews:
Subscribe to our newsletter