The EU has issued a draft decision agreeing that measures taken by the United States ensure sufficient protection for personal data to be transferred from the region to US companies.
The signature of a US Executive Order by President Biden on 7 October 2022, along with the regulations issued by US Attorney General Merrick Garland, agreed that access to personal data from Europe by US intelligence agencies would be limited to what is necessary and proportionate to protect national security. Under the Cloud Act, US law enforcement authorities can request personal data from US-based technology companies (after issuing warrants or court orders), regardless of the data’s location, and this has been one of the key reasons data sharing with America is viewed as potentially not complying with EU privacy rules.
In the new Executive Order, the US also offered EU individuals the possibility to obtain redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, including a newly created Data Protection Review Court.
However, campaigners said the agreement failed to address legal requirements already set out in the Court of Justice of the European Union, which struck down the so-called Privacy Shield data protection arrangements between the political bloc and the US in July 2020.
US executive order a long way from settling EU privacy cases
Austrian privacy activist Max Schrems brought the case — informally known as Schrems II — in 2015, complaining that Ireland’s data protection agency did not stop Facebook in Ireland from sending data to the US, where spy agencies could gain access to it without legal redress from EU citizens.
Following the ruling, the European Commission — the EU’s executive branch — began to work towards a framework for data sharing, a draft adequacy decision dubbed the EU-US Data Privacy Framework, designed to enable trans-Atlantic data flows and address the concerns of the CJEU.
This week’s draft decision follows the signature of a US Executive Order and new US regulations which built on the agreement in principle announced by EU president von der Leyen and Biden in March 2022. The Commission has also handed the decision to the European Data Protection Board (EDPB) for its opinion.
Under the proposed arrangement, US companies will be able to join the EU-US Data Privacy Framework by committing to comply with privacy obligations, including a requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.
EU citizens have been promised redress if their personal data is handled in violation of the Framework, including a free-of-charge independent dispute resolution mechanisms and an arbitration panel.
The US Executive Order also promised that the redress mechanism could include a newly created Data Protection Review Court, which promises to independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures.
The privacy law campaign group founded by Schrems, noyb, said the new adequacy decision was already invalidated by the CJEU decision on US surveillance. It required that US surveillance was proportionate within the meaning of Article 52 of the Charter of Fundamental Rights and there was access to judicial redress, as required under Article 47 of the same charter.
The establishment of a Data Protection Review Court might sound promising, but it did not meet the criteria for judicial redress, it said.
In a statement, Schrems said: “As the draft decision is based on the known Executive Order, I can’t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again — in flagrant breach of our fundamental rights.”
noyb pointed out that the views of the EDPB and the European Member States would not be binding on the Commission. “Once the decision is published, European companies can rely on it when sending data to the US. The final decision is not expected before spring 2023. Users can then challenge the decision via national and European courts,” it said. ®