The E.U.-U.S. Data Privacy Framework, aimed at enabling data from companies such as Google LLC and Meta Platforms Inc. to move back and forth between the two jurisdictions, today was adopted by the European Union.

Today’s action by the European Commission, the EU’s executive arm, follows their adoption by the U.S. Department of Commerce last week. The action also creates a new U.S.-based judicial body, called the Data Protection Review Court, which will review cases about EU privacy rights that fall under the framework’s jurisdiction.

For example, someone from Europe could object that private data was improperly collected by an American intelligence agency, such as what happened a decade ago with the documents released by Edward Snowden. New protective policies will be enacted by the Civil Liberties Protection Office within the Office of Director of National Intelligence as part of the framework.

Before Europeans can file with the U.S. review court, they first need to request their local data protection regulator to take on the case, and that regulator would then interact with the U.S. court. That seems like a cumbersome process. The issue is there is some daylight between what the American intelligence agencies want, which is the ability to collect and analyze data on potential threats, and what the Europeans want, which is the ability to keep this data private.

The cross-border agreements have been in the works since March 2022, and follow an executive order issued by President Biden last October that laid out the proposed framework. They bring some clarity about when U.S. agencies can obtain private Europeans data, such as collecting only data that meets particular national security needs and how this data is handled throughout its collection and analysis.

As the New York Times mentioned in its coverage today, U.S.-based technology companies can “transfer digital data across the Atlantic without running afoul of Europe’s privacy laws.” However, that remains to be seen. Not everyone is happy with the framework.

After Snowden, Austrian privacy activity Max Schrems (pictured, adjacent) sued successfully in 2020 to block the 2016 U.S.-E.U. data sharing agreements called Privacy Shield. At that time, this law was struck down because it didn’t have sufficient privacy protections. (Husch Blackwell has a detailed timeline and analysis of these previous agreements.)

Today’s new framework is its replacement. Schrems founded None of Your Business, to focus on privacy issues. He blogged that this “is largely a copy of the failed Privacy Shield” and still doesn’t address his original issues. One problem, which goes back to the Snowden era, is that bulk data collection by the intelligence agencies is still allowed. He claims that reviews to the section 702 regulations for non-U.S. persons remains unchanged. “Just like ‘Privacy Shield,’ this latest deal is not based on material changes, but by political interests,” he wrote.

Schrems said in his blog he plans on suing again, saying it’s still inadequate and basically unworkable, and predicts that the first test cases will probably reach the EU courts at the end of this year. Members of the EU Parliament have also criticized the new framework, claiming it still doesn’t go far enough to protect Europeans’ data privacy.

Image: TheDigitalArtist/Pixabay; photo: None of Your Business