The measures are part of a new pact on trans-Atlantic data flows that, if cemented, could give Meta and thousands of other companies a way to avoid such scrutiny. Concerns that Europeans’ personal information is left unprotected from US surveillance have put businesses in legal limbo since the scrapping of the EU-US Privacy Shield agreement on information transfers in 2020.
US officials working on the latest diplomatic deal with the European Union are “accelerating” their timeline for implementation, according to Alex Joel, a former US intelligence officer who’s currently a law professor at American University. The White House gave agencies until the fall to fulfill their side of the deal. The pact also needs final approval from the EU.
Meta faces a regulatory deadline to stop transferring data to the US in the fall as part of the Irish Data Protection Commission’s Monday decision. The social media giant has called the decision “flawed” and intends to appeal it.
The US government has been following the EU privacy action against Meta “very closely,” and is aiming for its new policy pact with the EU to go into effect by the summer, according to Caitlin Fennessy, a former Commerce Department official whose work focused on cross-border data protections.
US intelligence agencies are updating their policies and procedures with safeguards over spying that will align with the pact, known as the Trans-Atlantic Data Privacy Framework. The Justice Department also is fast-tracking approval of judges for a new Data Protection Review Court called for in the new pact, said Fennessy, who’s now vice president and chief knowledge officer at the International Association of Privacy Professionals.
Review Court
The Data Protection Review Court, housed in the Justice Department, will hear claims from people who believe they’ve been illegally surveiled by the US government. People can seek the court’s review after an initial investigation by a civil liberties official in the Office of the Director of National Intelligence.
The court will be made up of at least six judges appointed by the US Attorney General from outside the government, according to a regulation outlining its structure. The candidates have been selected and are undergoing expedited security clearances so that they can access classified information needed to conduct the reviews, Fennessy said.
The Justice Department’s office of privacy and civil liberties “is making substantial progress on staffing and equipping the court and expects to complete the process in the near future,” Wyn Hornbuckle, deputy director of public affairs at DOJ, said in an email.
The new authority replaces the Privacy Shield’s US ombudsman role for handling spying complaints, which fell to a State Department undersecretary. The European Court of Justice found in its 2020 decision striking down the pact that the former venue wasn’t politically independent and didn’t possess the power to influence intelligence-gathering activities.
The new court was designed to be insulated from interference, with legally binding decisions.
Surveillance Safeguards
The US government also must adopt safeguards for its surveillance activities to implementing the latest data-transfer framework. The safeguards are meant to address a worry that US spying laws allow for unchecked mass surveillance of individuals in Europe and elsewhere.
“Intelligence agencies are deep into the process of drafting and implementing changes,” said Peter Swire, a law professor at Georgia Tech and senior counsel with Alston & Bird LLP. Swire helped negotiate the earlier EU-US Safe Harbor data flows agreement during the Clinton administration.
A representative for the Office of the Director of National Intelligence didn’t immediately respond to a request for comment on the status of the safeguards.
Concerns about surveillance toppled the subsequent Privacy Shield, under which more than 5,000 businesses certified compliance.
Cross-Border Commerce
The Irish privacy fine against Meta “demonstrates the pressing need” to finalize the replacement EU-US data privacy framework, according to Jason Oxman, president and CEO of the Information Technology Industry Council. The trade association’s members include companies such as Meta and
“Now is the time to provide European and U.S. businesses a clear and legally sound system they can rely on to enable and protect critical data flows,” Oxman said in a statement. The deal would facilitate the continued flow of data that underpins more than $1 trillion in cross-border commerce every year, according to the White House.
In the absence of an impending policy solution, companies with business in Europe that transfer data to the US may be forced to decide whether they should keep information on Europeans at local data centers, or perhaps switch to European service providers as an alternative. Meta has threatened to pull its services from the EU entirely if the US data flows issue isn’t resolved.
“The open question now is what impact will this decision have more broadly for companies transferring data out of Europe,” Fennessy said.
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.