New approach for US data transfers
Co-author: Dr. Nathalie Alon, LL.M.
Nach der Aufhebung des Privacy Shields durch den Europäischen Gerichtshof hat US-Präsident Joe Biden eine neue Grundlage für einen Angemessenheitsbeschluss der Europäischen Kommission geschaffen. Vorerst bleibt die Rechtsunsicherheit aber weiter bestehen.
Hinweis: Dieser Beitrag wurde aufgrund der potenziellen Auswirkung auch auf andere EU-Mitgliedstaaten auf Englisch verfasst.
Following the European Court of Justice’s overturning of the Privacy Shield, U.S. President Joe Biden has provided a new basis for an adequacy decision by the European Commission. For now, however, legal uncertainty remains.
Data transfers between the EU and the US have been highly controversial at least since the repeal of the EU-US Privacy Shield. The Court of Justice of the European Union (CJEU) had overturned the agreement due to insufficient data protection in the USA. Since then, there has been a great deal of legal uncertainty.
An Executive Order signed by US President Joe Biden in October could now change this. It is intended to serve as the basis for an “adequacy decision” by the European Commission and facilitate the exchange of data again. Will this bring clarity back to transatlantic data transfers?
Biden’s regulation promptly drew criticism from the data protection association NOYB. According to the association, disproportionate mass surveillance continues to be an integral part of U.S. intelligence activities. The words “necessary” and “proportionate” have now been transferred from EU law to US law, but without any consensus on whether they have the same meaning as in the EU.
In addition, NOYB also sets out that a Data Protection Review Court (DPRC) is established in the USA, to which EU citizens can appeal. However, the DPRC would still not meet the standard of the European Fundamental Rights for an effective legal remedy and an impartial court, the data protection experts criticize.
Significant improvement
A skeptical attitude is understandable in light of past CJEU rulings. However, it should not be overlooked that the Executive Order brings improvements.
The DPRC is organized in panels of three “judges” in the event of a review. The judges will be selected by the Attorney General in consultation with the Secretary of Commerce, the Director of National Intelligence, and the Privacy and Civil Liberties Oversight Board. “Judges” must not have been employees of the executive branch not only at the time of their initial appointment, but also during the preceding two years, and must have experience in the privacy field. The removal of a member by the Attorney General is possible, for example, in the event of misconduct or unfitness, but only under strict conditions. In addition, the DPRC is not subject to the instructions of the Secretary of State, as was the former ombudsperson. In this respect, a significant improvement has been achieved, at least on paper.
Furthermore, the Executive Order does not limit itself to the inclusion of the terms “necessary” and “proportionate” with regard to monitoring measures. On numerous pages, guarantees are described that are to be implemented in order to uphold the proportionality principle of the EU Charter of Fundamental Rights. This is to be achieved through a balancing of interests between the importance of the surveillance activity and the impact on the fundamental rights of the data subjects. In addition, surveillance measures may only be undertaken to achieve objectives that are now precisely defined.
If, despite the progress made by the U.S. government, the expected adequacy decision is not in line with strict requirements of EU law, NOYB does not rule out a that the topic of data transfers will be back to the CJEU. It is therefore likely to be only a matter of time before the CJEU has to deal with data transfers to the U.S. again.
Uncertainty remains
One thing is clear: an adequacy decision and the associated legal certainty will be a long time coming. Until then, the other instruments for international data transfer, such as Standard Contractual Clauses, are available. Furthermore, a Transfer Impact Assessment must be carried out in the process, in which the risks of the data transfer are identified and, if necessary, mitigated. Additional measures, such as pseudonymization or encryption, are therefore still necessary in order to be able to carry out transfers to the USA on the basis of standard contractual clauses in a legally secure manner.
The U.S. government has addressed the CJEU’s criticisms in the course of the new Executive Order and has made some changes. Only time will tell how the measures cited will actually be implemented and whether this will suffice in practice to create an adequate level of data protection for EU citizens.
PwC Legal Austria keeps monitoring the situation and helps you navigate through the intricacies of international data transfers, from assessing your transfers to advising you on the implementation of compliant solutions. PwC Legal Austria is part of an international network of law firms to which it can take recourse for any analysis of the laws and practices of third countries.