Data protection commissioner of Baden-Württemberg (Germany) considers US President Biden's Executive Order for a data protection agreement "Privacy Shield 2.0" with European Union as insufficient

Sicherheit (Pexels, allgemeine Nutzung)[German]On October 7, 2022, U.S. President Joe Biden launched the new data protection agreement with the European Union, referred to here as "Privacy Shield 2.0", by means of an Executive Order. The aim: to clear the legal way for data exchange between the EU and U.S. providers. Experts had doubts as to whether this presidential decree would hold up before the ECJ. Now an assessment by Stefan Brink, data protection commissioner of the state of Baden-Württemberg, has become known, who considers this decree (Executive Order) to be insufficient and complains about considerable deficits.


U.S. Presidential Execution Order for "Privacy Shield 2.0"

U.S. President Joe Biden signed an Executive Order in early October 2022 to launch a new data protection agreement with the European Union. Subsequent tweet links to this White House fact sheet with details.

Privacy Shield 2.0

This executive order specifies the obligations the U.S. wants to implement to protect European users under the European Union-U.S. Data Privacy Framework (DPF). I had reported on the details and provided an initial assessment in the blog post US President Biden signs Executive Order for "Privacy Shield 2.0" data protection agreement.

Eco welcomes the decree

The Internet Economy Association (ECO) welcomes in a first statement that the US President has signed the Excecutional Order. ECO sees in this step that a solution for the legally secure transfer of personal data from the EU to the USA has been presented. This attempts to take into account the requirements of the European Court of Justice. So there was rejoicing – possibly premature.

Assessment by noyb

Because the history of data protection agreements concluded so far between the EU and the USA has been accompanied by bankruptcies, bad luck and mishaps. The ECO association and the US cloud providers can still cheer as much as they want about each agreement. Privacy activist Max Schrems and his organization noyb have taken these agreements to the European Court of Justice (ECJ). All previous agreements were rejected by the ECJ


Noyb on US Executive Order about EU-U.S. Privacy Shield framework

Regarding the above decree of US President Joe Biden, there were first statements that considered the decree as insufficient (I had quoted blog post Preliminary agreement between EU and US on the Trans-Atlantic Data Privacy Framework). Max Schrems summarized his position in the above tweet: It's probably not enough. Schrems wants to analyze the documents with noyb, but already noted with the data protection organization that the approach probably falls short and will sue if this is implemented in the EU.

Stefan Brink also sees flaws in the decree

What is interesting now is the assessment of the outgoing data protection commissioner of Baden-Württemberg, Dr. Stefan Brink, published on October 26, 2022 days. According to Brink, the Executive Order of the U.S. President is an important step in terms of international data transfer after the Schrems II ruling of the ECJ, but leaves many questions unanswered. LfDI Dr. Stefan Brink comments:

The fact that the U.S. government is taking action with regard to the data transfer agreement is an important step in the right direction. In order not to lose Europe as an important trade and business partner in the long term, the U.S. must move toward the European Commission and European data protection principles. However, the regulations of the Executive Order reveal significant deficits.

As LfDI BW, Brink welcomes in principle that the U.S. government is taking action with regard to the data transfer agreement. According to LfDI Brink, a viable agreement is urgently needed, especially for export-oriented European companies and for all those who use U.S. service providers.

The ruling of the European Court of Justice has led to legal uncertainty for many German and European companies, and if U.S. companies do not want to give up the important and strong European market, the U.S. government would have to follow European case law and agree to European rules, the data protection commissioner said.

Rights not an enforceable

LfDI Brink sees considerable legal ambiguities despite the development described as encouraging and the issuance of the Executive Order. Brink makes the following points in his comments:

  • The question arises to what extent an Executive Order can be an effective instrument at all for implementing the requirements of the General Data Protection Regulation DS-GVO. It represents an internal instruction to the government and subordinate authorities and is not a law that has been passed by parliament and is therefore legally binding.
  • Compliance with a mere Executive Order is not enforceable, especially for EU citizens.
  • In addition, it is not clear how the Executive Order relates to other existing U.S. regulations such as the Cloud Act, the data protection expert rightly complains.

Brink believes that the restrictions on data processing now contained in the Executive Order to necessary and appropriate cases do seem like a concession. In terms of the European principle of proportionality, the interpretation of the legal concept of proportionality is different in Europe and the U.S., Brink recognizes. Therefore, it remains unclear when, from the U.S. perspective, access for national security remains permissible. This is actually already a killer argument, and Max Schrems of noyb argues similarly. Brink on this:

  • There are significant requirements for filing a complaint by EU citizens. Minimum information is listed that must be met, so that sifting out "undesirable" complaints remains possible – a knockout principle.
  • Complainants are also explicitly not informed whether they have been the subject of intelligence activities by U.S. authorities, but only receive a standardized notice stating that the review of their complaint has been completed. The same wording is provided for a subsequent decision by the "court" (which is actually administrative offices of U.S. agencies).
  • This Data Protection Review Court is established under the Attorney General's Executive Order within his department. It is thus likely to be part of the executive branch, which is contrary to its (judicial) independence.

Moreover, the European Court of Justice had demanded not only legal remedies against state spying, but an end to this warrantless surveillance itself. However, this cannot be assumed at present;, says Dr. Stefan Brink. The system change demanded by the court (ECJ) is not taking place. Doesn't really fit in with the jubilation of the eco association, which I mentioned above. State Representative Stefan Brink puts it in a nutshell:

The European Commission will now have to decide whether the level of protection of personal data in the U.S. is equivalent. It is already questionable whether the Commission is at all in a position to reassess the level of data protection in the U.S. and issue an adequacy decision on the basis of the Executive Order alone. The large number of open questions that still need to be clarified casts doubt on this. In this elementary data protection issue, however, EU citizens need legal certainty just as much as the European and foreign companies affected by it. If the European Commission were to allow the fundamental rights of EU citizens to take a back seat to economic interests for the third time in a row, the European Court of Justice would find this difficult to accept.

A fail preprogrammed?

I think the EU Commission will try to "fix" something in order to issue an adequacy decision that will formally allow the transfer of personal data of EU citizens to the US cloud. The companies will rush to the cloud of the US providers with a "cloudy look" in their eyes – there is no alternative. And then it comes predictably: Max Schrems will file a lawsuit before the European Court of Justice (ECJ), and this renewed adequacy decision will be clawed back as not conforming to the law. Companies will join in a wail – we are no longer fit to work – and rant about the GDPR. But it really has to hurt before people in the executive suites wake up – at least my feeling.

Similar articles:
Safe Harbor: EuGH erklärt Abkommen für ungültig
European Court cancels EU-US "Privacy Shield"
Preliminary agreement between EU and US on the Trans-Atlantic Data Privacy Framework
US President Biden signs Executive Order for "Privacy Shield 2.0" data protection agreement

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *