[German]On October 7, 2022, U.S. President Joe Biden launched the new data protection agreement with the European Union, referred to here as "Privacy Shield 2.0," by means of an Executive Order (E.O.). This is intended to clear the legal way for data exchange between the EU and US providers. The data protection organization noyb around Max Schrems expects that this new agreement will also fail before the European Court of Justice (ECJ).
E.O."Privacy Shield 2.0" signed
This Executive Order specifies the U.S. commitments it intends to implement under the European Union-U.S. Data Privacy Framework (DPF) to protect European users.
- There are to be further U.S. safeguards to ensure that U.S. intelligence agencies and authorities may only access data of European users in pursuit of defined national security objectives. The privacy and civil liberties of all individuals, regardless of their nationality or country of residence, must be respected. Accesses to data and only be conducted when necessary to advance a validated intelligence priority, and only to the extent and in a manner appropriate to that priority.
- The EU-U.S. Data Privacy Framework mandates the handling of personal data collected in the course of intelligence activities and expands the responsibilities of legal, regulatory, and compliance authorities. This is to ensure that appropriate action is taken when breaches occur. U.S. intelligence agencies must update their policies and procedures to reflect the new privacy and civil liberties safeguards included in the Executive Order.
- Third, a multi-level mechanism will be created for individuals from qualified states and regional economic integration organizations (read: EU citizens and businesses). This mechanism is intended to provide independent and binding review and redress of cases that have occurred where U.S. intelligence agencies have collected or processed private data in violation of applicable U.S. law.
These steps are intended to provide a basis for the European Commission to adopt a new adequacy decision. This is required for GDPR reasons to allow companies in the EU to transfer personal data of EU citizens to U.S. companies for storage and analysis. The EU adequacy decision certifies that the country in question has sufficient data protection measures in place to allow the transfer of personal data under the GDPR.
The U.S. hope is to re-establish a legal framework via the above Executive Order (EU-U.S. Data Privacy Framework – DPF) that re-establishes a data transfer mechanism under EU law to U.S. companies – where, primarily, the business interests of major U.S. technology and cloud providers are at stake. It also aims to create more legal certainty for companies using standard contractual clauses and binding corporate rules for the transfer of personal data from the EU to the United States.
German ECO Association welcomes the move
In an initial statement, the Internet Economy Association (ECO) welcomes the fact that the US President has signed the Excecutional Order. ECO sees in this step that a solution for the legally secure transfer of personal data from the EU to the USA has been presented. This attempts to take into account the requirements of the European Court of Justice. For the digital economy, especially for many small and medium-sized enterprises, this could finally lay a stable foundation for legally secure data exchange at the international level, the association hopes. This would finally put an end to the previous dithering, and create legal certainty and reliability for companies.
Eco also knows how things should continue and writes: Now the European Commission must quickly take the necessary steps so that the agreement can enter into force. Until then, the data protection authorities should take a clear position, recognize the solution at hand, and absolutely refrain from fine proceedings or any transfer bans on companies until it comes into force.
After the adoption of the General Data Protection Regulation (GDPR), the EU and the USA concluded a data protection agreement under the name Safe Harbor. This was intended to legally regulate the processing of private data of European users and to enable the exchange of data by EU companies with US companies. However, the "Safe Harbor" agreement between the EU and the U.S. was overturned by the European Court of Justice (see my German blog post Safe Harbor: EuGH erklärt Abkommen für ungültig).
Then there was another attempt by the EU Commission at a data protection agreement with the US, called the "Privacy Shield." However, this data protection agreement was also overturned by the European Court of Justice (see European Court cancels EU-US "Privacy Shield"). In this case, too, the ECJ considered the level of data protection that the U.S. provided for EU citizens and their data to be incompatible with European law. The main issue was the power of U.S. intelligence agencies and authorities to access data transferred to the United States.
Then, in March 2022, EU Commission President Ursula von der Leyen and U.S. President Joe Biden announced a new agreement during the latter's visit to Europe. Under the term "Trans-Atlantic Data Privacy Framework", the EU and the US had agreed on an agreement for the exchange of user data between the regions. I had reported on this plan in the post Preliminary agreement between EU and US on the Trans-Atlantic Data Privacy Framework). The above mentioned Executive Order is now the move by the US to allow the EU to adopt an adequacy decision.
Will we see a Schrems III ruling?
The two European Court (ECJ) rulings mentioned above, which overturned previous data protection agreements with the U.S., were fought for by the data protection association noyb, around Max Schrems. There is talk of the Schrems I and II rulings. It is therefore interesting to see how consumer and data protection associations see this and also react. The U.S. medium CNBC captured some voices in this article.
European consumer group BEUC issued a notice saying the framework "is still likely to be inadequate to protect the privacy and personal data of Europeans when transferred to the US." According to BEUC, there are "no significant improvements in the new Executive Order to address issues related to the commercial use of personal data." But that's an area where the previous agreement, the EU-US Privacy Shield, fell short of GDPR requirements.
Ashley Gorski, senior counsel at the ACLU National Security Project (USA) explains that the order "doesn't go far enough. It does not adequately protect the privacy of Americans and Europeans, and it does not ensure that people whose privacy is violated can have their claims resolved by a fully independent decision-maker."
Max Schrems' position is summarized in the above tweet: It is probably not enough. Schrems plans to analyze the documents in the coming days, but already notes with the data protection organization noyb:
That all European data sent to U.S. providers will continue to end up in programs like PRISM and Upstream, even though the ECJ has already twice declared such surveillance not "proportionate" (according to the European definition of the word) and thus illegal.
According to Schrems, it appears that while the EU and the U.S. agreed to copy the word "proportionate" into a U.S. document, they did not agree that it should have the same legal meaning. According to U.S. representatives, the words are now said to have an "American meaning" (not further defined). If the term actually had the European meaning, the U.S. would have to fundamentally curtail its mass surveillance systems – which is not planned. Schrems, Max Schrems, chairman of noyb.eu comments:
In the end, the ECJ's definition will prevail – and thus probably nullify the agreement again. It is disappointing that the European Commission wants to continue spying on Europeans on the basis of this word.
Schrems sees the court envisioned by the U.S. as merely an "administrative body" whose rulings would be pre-determined. Quote:
The procedure is just as grotesque as before the Ombudsman: You have to send a complaint to a US official indirectly via a data protection authority. The official will reply that the U.S. neither confirms nor denies that you have been monitored. Moreover, the potential surveillance was either lawfully conducted – and if not, the problem was remedied (see Section 3(c)(E) of the Executive Order). One also gets the same (stipulated) answer from the Data Protection Review Court.
According to Schrems, U.S. companies do not have to comply with the GDPR either – the EU does not require the Privacy Shield Principles to be adapted in this regard. US citizens living in the US do have a right to privacy via the US Constitution. But that does not apply to EU citizens. The principles are largely identical to the previous "Safe Harbor" principles from 2000, Schrems said. That means U.S. companies can continue to process European data without complying with the GDPR. For example, they don't even need a legal basis for processing, such as consent. Under the Privacy Shield, U.S. companies only have to offer users an opt-out option. This is despite the fact that the ECJ has emphasized that there must be "equivalent protection on the merits" in the US for data to be freely transferred to the US.
When I read the above position of eco like this, hoping and cheering for legal certainty, but then mirror the statements of Max Schrems – who has already won two cases before the ECJ on the matter – there are worlds apart. The exciting question at the end of the day will be:
- How long will it take for the EU Commission to issue an "adequacy decision" and supposedly create legal certainty?
- And how long will it take for the ECJ to issue its third Schrems ruling in this matter?
For me, the practical side of this – also taking into account the discussions here on the blog – is quite exciting. There are two aspects to this: on the one hand, there are the many ways in which data about products from US providers can be transferred to the US via telemetry or cloud functions. Apple, Google, Microsoft & Co. practice this extensively. And it's not just abstract data points that are collected and transmitted via telemetry. Microsoft's smart screen filters transmit the entire surfing behavior to the USA – I recently reported on the case of the advanced spell checker, which transmits typed data to Microsoft or Google (see Chrome & Edge may send personal data (including passwords) to Google and Microsoft respectively). And all the automatic uploads to the cloud, which sometimes lead to blocked accounts with US providers, certainly contain very personal data. This is probably approved by the Eula or a GDPR query when the product is first used – but procedures for storing, processing and deleting personal data in accordance with the GDPR are not apparent.
And there's a second aspect that many don't have on their radar. EU companies and authorities are eager to hand over their users' data to US cloud providers. However, when I look at the daily news regarding data leaks and hacks from the U.S., the IT landscape there is heading for a huge security and data protection disaster. If a data breach occurs in the U.S. and a European company or authority has had its data processed or stored there, or if it has been transferred there, the U.S. authority is not responsible. The GDPR then affects the European company or authority. I'm skeptical that this will go well – but perhaps some will only learn by corresponding incidents. Schrems says about the whole situation:
It's amazing that the EU and the U.S. actually agree that wiretaps require probable cause and judicial authorization. The U.S., however, believes that foreigners have no right to privacy. I doubt the U.S. has a future as a global cloud provider if international customers have no rights under U.S. law. It is outrageous when the European Commission accepts that EU citizens should be second class people who do not deserve the same rights as US citizens.
I think he's very spot on there – and I look forward to the next ECJ case on the matter.
Cookies helps to fund this blog: Cookie settings