by Julia Tar
The European Commission formalised its new adequacy decision for the EU-US Data Privacy Framework on Monday (10 July), providing a new legal framework for transatlantic data flows after the two previous ones were struck down in court.
The European Commission published its draft data adequacy decision with the United States in December, following US President Joe Biden’s signature of an executive order in October.
Transfer of personal data from the EU to the US was deemed illegal by the Court of Justice of the European Union in two landmark cases. In the last verdict, Schrems II, the EU judges pointed to disproportionate access and inadequate protection of European bulk data held by US security services, as first revealed by Edward Snowden in 2013.
The US executive order was designed to address these concerns, namely introducing safeguards for EU residents’ personal data by limiting the access of US intelligence agencies and introducing an independent redress mechanism.
During a press conference, European Commissioner for Justice Didier Reynders said that “personal data can now flow freely and safely from the [European] Economic Area to the US”.
Data adequacy decision
Last week, US Secretary of Commerce Gina Raimondo announced that all the commitments to implement the Data Privacy Framework had been implemented, notably regarding the redress mechanism and intelligence services limitations.
Also last week, EU national representatives adopted with a broad majority the data adequacy decision. For Reynders, the Commission has made “significant progress” and achieved the right balance between collective security and individual rights.
A significant addition to the adequacy’s text compared to the initial draft is that whenever an organisation does not comply with the requests of a European data protection authority, the matter should be flagged to the US Department of Commerce and the Federal Trade Commission.
The conditions for issuing administrative subpoenas to access data held by companies in the United States for public interest purposes and search warrants were further specified.
Moreover, the adequacy decision requires intelligence services to define the specific retention period and rationale, such as the type of information held or whether it is needed to protect a person.
The intelligence services will be under the supervision of the Privacy and Civil Liberties Oversight Board, which will have access to all relevant documents, including classified information.
The Commission will review the data adequacy decision regularly, starting one year after it enters into force. Among the aspects to be reviewed will be the redress mechanism and the cooperation between US and European authorities, as the latter will be the first to receive the complaints.
Criticism
However, not all were fully satisfied with the final version of the adequacy decision.
In February, the European Data Protection Board, which gathers all EU data protection authorities, stressed several points of improvement in the data adequacy decision, notably regarding the rights of data subjects, onward data transfers, and temporary bulk data collection.
In addition, the European privacy regulators noted that how the redress mechanism will work in practice should be closely monitored and how the principles of necessity and proportionality will be interpreted.
In particular, the concept of ‘proportionate’ access to data might not align with the EU Charter of Fundamental Rights as the US jurisprudence will define the term.
The redress mechanism is another controversial aspect. Besides the Civil Liberties Protection Officer, it comprises a Data Protection Review Court, which is, however, not fully independent as it is under the US executive branch.
Schrems III?
“Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice,” said Austrian activist Max Schrems, who named the court cases, adding that changes in US surveillance law would also be needed in order “to make this work” but “we simply don’t have it”.
When asked about a potential Schrems III, Commissioner Reynders said that he believes it might be useful to test the new system before taking it to court. He added that he met Schrems before the new framework was introduced, as well as with other stakeholders.
Schrems expects the newest version of the adequacy decision “to be back at the Court of Justice by the beginning of next year”, which then could “even suspend the new deal while it is reviewing the substance of it”.
*first published in: Euractiv.com
By: N. Peter Kramer
