The EU-US Data Privacy Framework entered into force on July 11, 2023. It is the successor to the EU-US Privacy Shield, which was deemed insufficient and invalidated by the European Court of Justice in 2020. However, it remains to be seen whether the new agreement will provide a lasting solution to transatlantic data privacy.

What Is the EU-US Data Privacy Framework?

The EU-US Data Privacy Framework is an agreement between the United States and the European Union. It was created to regulate transatlantic data transfers and ensure the protection of personal data. However, the new agreement has already been facing criticism and legal challenges since it came into force on July 11, 2023. While the European Commission and the United States have called the framework an effective privacy tool, data protection watchdogs such as NOYB have cast doubt on its legality. The legal situation remains unstable, and there is a possibility that the successor to Privacy Shield and Safe Harbor will also be challenged in court.

The New Data Protection Agreement Is Being Challenged – Legal Situation Remains Unstable

Three years after the cancellation of the EU-US Privacy Shield, legal certainty for transatlantic data transfers has returned. The question is: for how long?

The Safe Harbor agreement lasted 15 years until it was declared invalid by the EU Court of Justice in 2015. The EU-US Privacy Shield, introduced in 2016, lasted about four years until it succumbed to the same fate in July 2020.

The EU-US Data Privacy Framework could be even more short-lived: NOYB has already announced it will appeal the new agreement to the European Court of Justice. As early as the end of 2023, the EU Court of Justice could suspend the agreement until it makes a decision on its legal validity. The latter is expected in 2024 or 2025. The likelihood of a renewed annulment of the data protection agreement between the EU and the U.S. is very high. This is because NOYB does not see any substantial improvement in the new agreement compared to its predecessors.

The main point of criticism is that according to US law, EU citizens will still not be legally treated the same as U.S. citizens when it comes to data protection rights. Thus, based on FISA 702 - a U.S. law regulating worldwide intelligence surveillance of non-U.S. citizens - they can still be spied on by U.S. intelligence agencies without specific cause and without a court order.

Interestingly, according to NOYB, the U.S. surveillance laws not only violate several articles of the EU Charter of Fundamental Rights, but also the 4th Amendment of the U.S. Constitution.

How Should Companies in Austria React Now?

In view of the unstable situation, companies should act cautiously and not rely exclusively on the new agreement. The currently restored legal certainty only gives companies a little more time to set up their systems and data processing in a sustainably data protection-compliant manner, without at the same time having to reckon with being targeted by the data protection authorities at any time. By "sustainably data privacy compliant," it is meant that companies can ensure the privacy of personal data even if the EU-US Data Privacy Framework is annulled.

Therefore, it is advisable to continue looking for IT solutions and software that are not subject to the legislation of so-called insecure third countries in terms of data protection. As long as the new agreement is valid, the USA will once again be a safe third country. But it is likely that they will lose this status again.

Companies are on the safe side if the solutions they choose come from countries where the GDPR applies: all EU member states as well as Iceland, Liechtenstein and Norway. For solutions from countries other than those mentioned above, we recommend seeking legal advice. A proactive approach and continuous monitoring of legal developments are essential to ensure compliance with applicable data protection regulations.

Example Web Analytics: Piwik PRO as an Alternative to Google Analytics

Especially in the area of web analytics, i.e. the analysis of data in the online sector, it is essential that sensitive information is protected and processed in a legally compliant manner. Due to the unstable legal situation described above, the question of a suitable alternative to established web analytics tools such as Google Analytics remains in focus. Companies should therefore consider using alternative solutions for web analytics instead of relying exclusively on Google Analytics.

This is where Piwik PRO comes in. As a European web analytics platform, Piwik PRO offers a privacy-compliant alternative to Google Analytics. Using on-premise or cloud-hosted solutions, Piwik PRO allows companies to retain full control over their data and process it in accordance with European data protection regulations. This minimizes dependence on agreements between the EU and third countries. Piwik PRO also offers features such as anonymization of IP addresses, opt-out options for users and comprehensive encryption of data transmission. 

Companies can thus make their data-driven decisions while respecting the privacy of their customers. Especially in times when data privacy is a key issue and legal requirements are becoming increasingly stringent, it is important to rely on a reliable and legally compliant web analytics solution.

Conclusion: Don’t Rely on the EU-US Data Privacy Framework

In summary, the EU-US Data Privacy Framework unfortunately does not provide the stability hoped for, as its challenge is already underway. Companies in Austria should therefore be cautious and consider alternative solutions. It is important not to rely on just one data protection agreement.

Note: This article does not constitute legal advice.