Update Data Protection No. 120
Transatlantic data agreement – will there be a Privacy Shield 2.0?
Data transfers to the U.S. – a red flag for European data subjects and supervisory authorities. The economic reality varies: For companies, data transfers to the U.S. are an important tool and inevitable for the use of certain services (see also Data Protection Update No. 89). Since the decision of the European Court of Justice (“ECJ”) regarding the EU-US Privacy Shield (“Privacy Shield”), there is no longer a secure legal framework for data transfers to the U.S. Now, U.S. President Joe Biden has signed an executive order which could increase the chances for a new transatlantic data agreement with the EU.
In 2020 the ECJ ruled that the EU Commission’s decision on the Privacy Shield with the U.S. was invalid (Case C 311/18 - "Schrems II"). This decision has drawn a lot of attention (see also Data Protection Update No. 82).
Since then, data transfers to the U.S. are only permissible if the transfer mechanisms under chapter 5 of the GDPR are met. However, these meet the needs of the global economic market – at least in the masses – to a limited extent at best and in many cases not at all. The EU and the U.S. have been engaged in a dispute over a new legal framework for the secure transfer of data to the U.S. ever since. In particular, the EU expected important efforts from the U.S. to improve their level of data protection. After the EU and the U.S. already announced an "agreement in principle" in March this year, U.S. President Joe Biden now may have cleared the way for a new adequacy decision by the EU Commission by signing an executive order, thus paving the ground for a new legal framework for data transfers.
Will the U.S. meet European requirements?
This executive order provides for some concessions that would be a big step forward for the U.S. in the field of data protection. The purpose of the executive order was to implement the requirements of the above-mentioned Schrems II judgement. Worth noticing are following U.S. government goals:
1. Proportionality of surveillance – can the U.S. build trust?
Access to personal data of EU citizens for conducting intelligence activities shall only be possible "in pursuit of specific national security objectives" if access is "necessary" and “proportionate”, i.e., if access does not disproportionately affect the protection of privacy and freedoms. This addresses a central – and frequently taken up – aspect of the ECJ's judgement: the proportionality of the access possibilities to the transferred personal data of EU citizens, for example by US intelligence services, which was missing at the time of the judgement. This requirement of proportionality derives from Article 52 of the Charter of Fundamental Rights of the European Union (CFR). According to the principles of Art. 52 CFR, restrictions on the rights and freedoms of EU citizens must be proportionate and necessary. It is remarkable that the executive order now uses exactly the same wording as those set forth in the CFR.
What remains questionable is what is meant by necessary and proportionate from a U.S. perspective, and whether this coincides with the European understanding. Although a complete renunciation from current surveillance practices would be surprising, the positioning on this will have to be observed over the coming time period. Nevertheless, the EU Commission would do well to critically examine whether the precautions are sufficient.
2. Better legal protections for EU citizens?
Furthermore, the U.S. now guarantees a multi-layer mechanism by which EU citizens can seek redress against unlawful access to their personal data. This is an important aspect, since the core problem of the Privacy Shield was not only the aforementioned extensive access possibilities to personal data of EU citizens of the U.S. intelligence services, but also and in particular the missing or insufficient legal protection possibilities of EU citizens against such access.
With its executive order, the U.S. government now reacts and holds out the prospect of a multi-level mechanism. At its first layer, the Civil Liberties Protection Officer in the Office of the Director of National Intelligence is to conduct an initial investigation of complaints and determine the appropriate remedy in the event of a violation. Particularly worth highlighting is the second layer of this mechanism. As the second layer a Data Protection Review Court is to be installed which is primarily intended to replace the much-criticized ombudsman procedure in the Privacy Shield. According to the White House, the judges will be non-U.S. government appointments and will „have relevant experience in the fields of data privacy and national security“. However, first critical voices are already being raised as to whether the Data Protection Review Court can be recognized as a "court" by both American and European standards. The background to this criticism is the principle of separation of powers which only allows the judiciary, i.e. the judicial power, to dispense justice. Since the court can only be appointed by the U.S. Congress and thus rather were to be part of the executive branch (so NGO noyb with the statement of 07.10.2022: Executive Order on US surveillance is probably not enough (noyb.eu)) and its independence were to be questionable, the criticism is not unsubstantiated. If this is the case, it will not be easy to meet the requirements of the ECJ judgement. According to Art. 47 CFR, every EU citizen has the right to an effective remedy and to an impartial tribunal. Interventions in (EU) fundamental rights must therefore always be subject to judicial review. So the main question here will be: Will this be possible?
In addition, U.S. intelligence agencies will be required to implement procedures that ensure effective oversight of the new privacy and civil liberties standards.
From a European perspective, it is gratifying that the U.S. seems to show understanding for European sense of justice instead of ignoring such concerns. Nevertheless, it is desirable that the EU Commission critically examines whether the conditions for a new adequacy decision are already met by the executive order issued. It is not to be assumed that a new adequacy decision will do without legal review by the ECJ. Instead, a third case most likely will be brought before the ECJ. It would be highly detrimental both to the legal certainty of data transfers to the U.S. and to the acceptance of European data protection law in general if such a "Schrems III" judgement were to result in the invalidation of an adequacy decision once again.
Either way, an adequacy decision must remain the goal in order to re-establish a secure legal framework for the transfer of data to the U.S. which is so important from an economic perspective. We will keep you informed of further developments.