The EU has issued a draft decision agreeing that the measures taken by the United States will ensure adequate protection for transfers of personal data from the region to US companies.
The signing of a US Executive Order by President Biden on October 7, 2022, along with regulations enacted by US Attorney General Merrick Garland, agreed that US intelligence agencies’ access to personal data from Europe would be limited to what is necessary and proportionate to protect it National security. Under the Cloud Act, US law enforcement agencies can request personal information from US-based tech companies (after issuing warrants or court orders), regardless of the location of the data, and this has been a key reason why data sharing with America is seen as a potential non-compliance EU data protection regulations.
In the new executive order, the US also offered EU citizens the opportunity to seek redress against the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, including a newly created Privacy Review Court.
But activists said the deal fell short of legal requirements already laid down by the Court of Justice of the European Union, which overturned the so-called Privacy Shield data protection agreements between the political bloc and the US in July 2020.
US decree is a long way from settling EU data protection cases
Austrian data protection activist Max Schrems brought up the case – informally known as Schrems II – in 2015, complaining that the Irish data protection authority had failed to stop Facebook in Ireland from sending data to the US, where spy agencies could access it without any legal recourse from the EU citizens could access.
Following the ruling, the European Commission – the EU’s executive arm – began work on a data-sharing framework, a draft adequacy decision dubbed the EU-US Privacy Framework, designed to enable transatlantic data flows and to address the concerns of the ECJ.
This week’s draft decision follows the signing of a US executive order and new US rules, building on the agreement in principle announced by EU President von der Leyen and Biden in March 2022. The Commission has also sent the decision to the European Data Protection Board (EDPB) for its opinion.
Under the proposed agreement, US companies can join the EU-US data protection framework by committing to comply with data protection obligations, including the obligation to delete personal data when it is no longer necessary for the purpose for which it was collected , and to ensure continuity of protection when personal information is shared with third parties.
EU citizens have been promised redress if their personal data is treated in violation of the Framework, including a free independent dispute resolution mechanism and arbitration panel.
The US executive order also promised that the redress mechanism could include a newly created Data Protection Review Court, which promises to independently investigate and resolve complaints from Europeans, including by adopting binding remedies.
The data protection action group noyb, founded by Schrems, said that the new adequacy decision had already become obsolete as a result of the ECJ decision on US surveillance. It required that US surveillance was proportionate within the meaning of Article 52 of the Charter of Fundamental Rights and that there was access to judicial remedies under Article 47 of the same Charter.
The establishment of a data protection review court sounds promising, but does not meet the criteria for a legal remedy, it said.
In a statement, Schrems said: “As the draft decision is based on the well-known Executive Order, I cannot see how this would survive a challenge in the Court. It seems that the European Commission keeps making similar decisions again and again – in blatant violation of our fundamental rights.”
noyb pointed out that the views of the EDPB and the European Member States are not binding on the Commission. “Once the decision is published, European companies can rely on it when sending data to the US. The final decision is not expected before spring 2023. Users can then appeal the decision through national and European courts. ®
https://www.theregister.com/2022/12/14/eu_us_data_sharing_agreement/ EU takes steps towards US data sharing agreement • The Register