European Commission finds US agencies are adhering to data protection commitments
U.S. authorities have honored their commitment to put guardrails in place to limit American intelligence agencies’ access to Europeans’ personal data, the European Commission (EC) announced Wednesday.
The announcement comes on the heels of the EC’s first review of the EU-U.S. Data Privacy Framework (DPF), which is a voluntary program allowing U.S. companies to transfer personal data to the U.S. from the EU with adequate privacy protections in place. The DPF took effect in July of 2023.
The EC determined that U.S. authorities have “put in place all the constitutive elements of the framework,” an EC press release said.
“This includes the implementation of safeguards to limit access to personal data by U.S. intelligence authorities to what is necessary and proportionate to protect national security, and the establishment of an independent and impartial redress mechanism,” according to the press release.
Authorities in the U.S. and E.U must develop “common guidance” on DPF requirements in the coming months, the press release said.
The EC’s findings draw on feedback from civil society organizations, trade associations, EU data protection authorities, U.S. authorities and the general public, the press release said. In July, EC Commissioner for Justice Didier Reynders and U.S. Commerce Secretary Gina Raimondo met to discuss the DPF, a gathering which also informed the review’s findings.
The DPF set up a framework to allow personal data to flow freely from the EU to companies in the U.S. that participate in the program.
Its creation came in response to the adoption of a 2022 Biden administration executive order designed to enhance protections for U.S. signals intelligence “activities.” The U.S. said it would aim for targeted — rather than bulk — data collection, and any data gathered through bulk collection would be used for protecting against threats such as terrorism and foreign espionage.
The executive order followed a ruling from the EU’s Court of Justice in 2020.
The data protections established by the U.S. government relating to national security apply to all data transfers to companies in the U.S., “regardless of the transfer mechanisms used,” the EC has said.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.