USA-EU data transfer pact nears, EU says safeguards strong enough

A computer keyboard lit by a displayed cyber code is seen in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration

BRUSSELS, Dec 13 (Reuters) - The European Union on Tuesday took a step closer to sealing a data transfer pact with the United States as it issued a draft decision saying U.S. safeguards against American intelligence activities were strong enough to address EU concerns.

Both sides clinched a preliminary deal in March, cheering thousands of companies which found themselves in a legal morass after Europe's top court struck down a previous data transfer accord in 2020 on concerns about U.S. intelligence agencies accessing Europeans' data. It was the second such court veto.

U.S. President Joe Biden followed up in October with an executive order setting out new safeguards on the activities of U.S. intelligence gathering and creating a two-step system of redress, first to an intelligence agency watchdog then to a court with independent judges.

The European Commission's justice chief Didier Reynders said the draft adequacy decision shows that U.S. safeguards offer the same level of data protection to EU citizens as that under European law.

"Our analysis has showed that strong safeguards are now in place in the U.S. to allow the safe transfers of personal data between the two sides of the Atlantic," Reynders said in a statement.

"The future Framework will help protect the citizens' privacy, while providing legal certainty for businesses," he said.

Austrian privacy activist Max Schrems, whose campaign about the risk of U.S. intelligence agencies accessing Europeans' data in a long-running dispute with Meta led to the court vetoes, said the U.S. safeguards were not adequate for people outside the United States.

"I can't see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again - in flagrant breach of our fundamental rights," he said in a statement.

Still, companies would be wise to have a fallback clause in the form of standard contract clauses in case the latest data transfer pact is challenged and rejected in court, said Patrick Van Eecke, head of law firm Cooley's European cyber, data and privacy practice.

"It is like putting the Concorde in the air again to New York: it is fast, smooth and easy for transporting people back and forth from Europe to the United States," he said.

"But you never know if it will be flying next year. So, use it when it is available, but make sure you have an alternative option which is air-ready if and when Concorde stops flying again."

EU data protection watchdog EDPB, EU countries and EU lawmakers will now offer non-binding opinions in a process that will likely take about six months, with the EU final adequacy decision expected before next summer.

Reporting by Foo Yun Chee Editing by Alexandra Hudson

Our Standards: The Thomson Reuters Trust Principles.