Home / News / Industry / EU confirms draft decision on replacement US data transfer pact

EU confirms draft decision on replacement US data transfer pact

By announcing a draft decision on U.S. sufficiency, the European Commission has opened the door for the adoption of a new EU-U.S. data transfer agreement the following year.

You can obtain the draft adequacy decision for the EU-US Data Privacy Framework (DPF) from this page.

The EU executive body and their American counterparts hope that the Commission’s draft will finally bring legal certainty to transatlantic exports of EU personal data, which have been shrouded in risk ever since earlier agreements were declared invalid by the EU’s top court back in July 2020 and October 2015 due to the legal inconsistency between European privacy rights and U.S. surveillance powers.

The fundamental obstacle to data exchanges between the EU and the US has been and continues to be bridging that rift. Any new agreement on transatlantic data transfers will therefore definitely be the subject of legal challenges to determine if this basic conflict has been truly resolved.

However, it has taken a lot of work and difficulty to even get a substitute agreement on paper after the last two treaties were annulled by the Court of Justice of the EU (CJEU).

Didier Reynders, the EU’s justice commissioner, stated at a Politico event yesterday that he anticipated the new agreement would be completed by July of next year and that it had a “7 or 8 out of 10” chance of withstanding legal scrutiny. So even the Commission does not have a guarantee that this will last.

Today’s publication of the draft decision was accompanied by a statement from Reynders, who stated:

Today’s draft decision is the outcome of more than one year of intense negotiations with the US that I led together with my US counterpart Secretary of Commerce Raimondo. Over the past months, we assessed the US legal framework provided by the Executive Order as regards the protection of personal data. We are now confident to move to the next step of the adoption procedure. Our analysis has showed that strong safeguards are now in place in the U.S. to allow the safe transfers of personal data between the two sides of the Altlantic. The future Framework will help protect the citizens’ privacy, while providing legal certainty for businesses. We now await for the feedback from the European Data Protection Board, Member States’ experts and the European Parliament.

Vra Jourová, the Commission vice president for values and transparency, said in a second statement in support:

Our talks with the US have resulted in proposing a Framework that will further improve safety of personal data of Europeans transferred to the US. It builds on our good cooperation and progress we have made over the years. The future Framework is also good for businesses and it will strengthen Transatlantic cooperation. As democracies, we need to stand up for fundamental rights, including data protection. This is necessity, not a luxury in the increasingly digitalised and data driven economy.

A number of tech giants will be closely monitoring developments, including Meta, which is at risk of having its EU-U.S. data transfers suspended as a result of a protracted complaint that is still working its way through the EU’s General Data Protection Regulation (GDPR) enforcement procedures; Google, whose analytics product has received warnings from DPAs across the bloc over unauthorized transfers of personal data; and Facebook.

But with the death of Privacy Shield, many of businesses that depend on exporting personal data from the EU to the U.S. have been left in a legal limbo.

It took negotiations between the EU and the U.S. until this March to reach a political agreement, and it took until October before U.S. President Joe Biden issued an executive order (EO) to put the replacement data transfer agreement into effect.

The Commission has since produced a draft adequacy agreement, as the EU refers to such agreements, based on the text approved by the U.S. administration (and accompanying regulations issued by the U.S. Attorney General Merrick Garland), which turned the agreement-in-principle that the EU and U.S. signed in March into U.S. law.

The proposed resolution will next be examined by members of the European Parliament and representatives from other EU institutions, such as the European Data Protection Board (EDPB) and a committee of EU Member States. However, the final decision to adopt adequacy rests solely with the Commission, so today’s proposed decision is an important step toward finalizing a new agreement.

“US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations,” the Commission writes. Among these obligations are the need to delete personal data when it is no longer required for the purpose for which it was collected and to guarantee continuity of protection when personal data is shared with third parties. If their personal data is treated improperly, EU individuals will have access to many routes for remedy, including free access to independent dispute resolution processes and an arbitration panel.

The US legal system also stipulates a variety of restrictions and precautions for the use of data by US public bodies, particularly for the purposes of criminal law enforcement and national security. This contains the new guidelines established by the US Executive Order, which addressed the concerns stated in the Schrems II judgment by the Court of Justice of the EU: EU citizens will have the option to seek redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court. Access to European data by US intelligence agencies will be restricted to what is necessary and proportionate to protect national security. The Court will independently look into and address Europeans’ complaints, including by taking legally enforceable corrective measures.

The Commission also stated that European businesses “would be able to depend on these safeguards for trans-Atlantic data transfers, also when employing other transfer mechanisms, such as standard contractual clauses and binding corporate standards.”

Having said that, it is unknown how long the renewed agreement will survive.

Less than four years went by after the EU-US Privacy Shield was established before the CJEU invalidated it. Furthermore, it might not take as long for a third judicial challenge to resolve the same issue.

Noyb, a privacy and digital rights non-profit advocacy organisation founded by Max Schrems, whose last name has come to be associated with successful challenges to EU-U.S. data transfer agreements, anticipates that the DPF will be rejected by the CJEU.

“The CJEU demanded that (2) there be access to judicial remedy, as required by Article 47 CFR, and that (1) US surveillance be proportionate in accordance with Article 52 of the Charter of Fundamental Rights (CFR). The updated US statute (Executive Order 14086) doesn’t materially alter the situation from the PPD-28 that was previously in effect, hence it appears to fall short of both standards. Continuous “bulk surveillance” and a “court” that is not actually a court are in place. The CJEU will therefore probably not be satisfied by any EU “adequacy determination” based on Executive Order 14086, according to a news release from Noyb.

It predicts the third deal won’t pass muster with the CJEU either based on its analysis of the two sides’ agreement-in-principle, which is based on the text of the U.S. EO. Changes “seem rather minimal,” according to its analysis, and the agreement “underperforms when it comes to the protection of non-US persons.”

In a statement, Schrems added: “We will carefully examine the draft judgement over the next days. I don’t see how the draft judgement would hold up to a challenge before the Court of Justice because it is based on the known Executive Order. The European Commission tends to consistently make the same choices, blatantly violating our fundamental rights.

However, not everyone who cares seriously about data protection is as pessimistic about this ‘third time less unlucky’ attempt to seal an agreement on data transfers between the EU and the US.

Hamburg’s data protection commissioner released a somewhat positive-sounding statement on the EO’s contents last month. It praised the fact that, for the first time, U.S. secret service activities would be subject to “a proportionality proviso” and praised the US for appearing willing to (at least) limit the scope of government data collection. However, it also criticized “knee-jerk” criticism of the agreement.

 

However, it also stressed the need for close examination of the agreement to ascertain whether or not key components, such as how American secret services will interpret the term “proportionality,” and how the data protection court will operate, will in fact meet CJEU criteria. Notably, it also referred to the expressive retention of US bulk collection (also known as “the instrument of mass surveillance”) as “problematic.”

It will be intriguing to watch how the EDPB evaluates the DPF.

A negative vote from the Board, which the Commission stated has already received its draft judgment so it can start composing its opinion, would be a sure sign that legal issues may arise. However, the situation would be substantially different if the EDPB had issued a more favorable decision.

The Board will not be publishing a statement at this point in the process, according to a spokesman for the organization.

She added that it is unclear when the EDPB will adopt an opinion on the proposed ruling. “At this time, we are unable to predict when this will occur. The GDPR does not specify a deadline, but the European Commission may choose to do so, she continued.

Noyb stated that it does not anticipate the new agreement to be finalized prior to the spring of 2023. After that, it states, consumers will have the option to challenge the DPF in national and European courts, starting a new regulatory risk clock.

Additionally, the Commission will keep an eye on how the EU-U.S. Data Privacy Framework is doing through a process of “periodic evaluations” that it will carry out independently with the help of European data protection authorities and in coordination with the relevant U.S. authorities.

The first review, which will determine if all pertinent components of the US legal framework have been properly implemented and are operating efficiently in practice, will take place within a year of the sufficiency decision coming into force, according to the statement.

A brief Q&A provided by the Commission provides additional information on its proposed ruling.

About Chambers

Check Also

With an eye on AI, Amazon adds Andrew Ng to its board. Former MTV executive McGrath will step down

If what corporate boards of directors do can show where a company wants to focus, …