ESDA Comments on the EU-U.S. Data Privacy Framework

[German]The European Commission is in the process of preparing a new agreement on data exchange with the USA, called the Trans-Atlantic Data Privacy Framework. For this purpose, the EU Commission announced a preliminary adequacy decision as of December 13, 2022. This is to be the successor to the EU-U.S. Privacy Shields data protection agreement, which was rejected by the European High Court (ECJ). Now the European Data Protection Authority (EDSA) have commented on the preliminary decision.


Advertising

What we are talking about?

There is currently no valid data protection agreement between the US and the EU that allows US cloud providers and software vendors to transfer personal data of EU citizens to the US under GDPR. While there have been two such data protection agreements between the EU and the US since the GDPR came into force (2018). The first agreement to legitimize the transfer of data to the US ran under the name "Safe Harbor". However, following a lawsuit filed by Max Schrems, the European Court of Justice (ECJ) declared this agreement invalid.

The second attempt for a successor agreement called "Privacy Shield" was also declared invalid by the ECJ after a follow-up lawsuit by Max Schrems and his data protection association noyb (see European Court cancels EU-US "Privacy Shield"). In both rulings, the judges emphasized that the level of data protection for EU citizens in the U.S. was not comparable or adequate to the EU GDPR standards.

With the Trans-Atlantic Data Privacy Framework, the U.S. and Europe are making a third attempt to establish a data protection agreement between the parties. To that end, a Presidential Executive Order for the EU-U.S. Data Privacy Framework – or DPF – was issued at the U.S. level on Oct. 7, 2022 (see US President Biden signs Executive Order for "Privacy Shield 2.0" data protection agreement). This is intended to ensure a data protection framework to enable a new data protecti

The EU Commission then announced its preliminary adequacy decision on the Trans-Atlantic Data Privacy Framework as of December 13, 2022. Before the Commission can publish a final decision in 2023, the data protection authorities of the 27 EU states must first provide feedback on the agreement. This is exactly what has now happened.

Stellungnahmen von EDSA

On February 28, 2023, the European Data Protection Board (EDPB) published its assessment of the data protection agreement (Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework). In this opinion on the EU Commission's draft adequacy decision on the EU-US data privacy framework, EDPB does welcome significant improvements. Among these, EDPB includes:


Advertising

  • the introduction of requirements consistent with the principles of necessity and proportionality for U.S. intelligence data collection,
  • and the new redress mechanism for EU data subjects.

At the same time, EDPB expresses concerns and requests clarifications on several points. These concern in particular certain rights of data subjects, onward transfers, the scope of exceptions, the temporary bulk collection of data and the practical functioning of the redress procedure.

In a published statement, EDPB would like to see not only the effective date, but also the adoption of the Order conditioned on the adoption by all U.S. intelligence agencies of updated policies and procedures to implement Executive Order 14086. The EDPB recommends that the Commission evaluate these updated policies and procedures and report its evaluation to the EDPB.

EDPB Chair Andrea Jelinek said, "A high level of data protection is essential to protect the rights and freedoms of EU citizens. While we recognize that the improvements to the U.S. regulatory framework are significant, we recommend that the concerns raised be addressed and the clarifications requested be made to ensure that the adequacy decision will stand. For the same reason, we believe that after the initial review of the adequacy decision, further reviews should occur at least every three years, and we commit to contributing to those reviews."

On the commercial side, the EDPB welcomes a number of updates to the DPF Principles. It also notes that a number of principles remain essentially the same as under the Privacy Shield. Therefore, some concerns remain, such as with respect to some exceptions to the right of access, the lack of key definitions, the lack of clarity on the application of the DPF Principles to processors, the broad exception to the right of access for publicly available information, and the lack of specific rules on automated decision making and profiling.

The EDPS also reiterates that the level of protection must not be undermined by onward transfers. Therefore, he invites the Commission to clarify that the safeguards imposed by the original recipient on the importer in the third country must be effective in the light of the third country legislation before onward transfers take place.

Regarding government access to data transferred to the United States, the EDPB recognizes the significant improvements made by Executive Order (EO) 14086. The EO introduces the concepts of necessity and proportionality with respect to U.S. intelligence collection (signals intelligence).

In addition, the new redress mechanism creates rights for EU citizens and is subject to review by the Privacy and Civil Liberties Oversight Board (PCLOB). The EDPS also provides more safeguards for the independence of the Data Protection Review Court (DPRC) than the previous Ombudsman mechanism and introduces more effective powers to remedy breaches, including additional safeguards for data subjects.

The EDPS emphasizes the need to closely monitor the practical application of the newly introduced principles of necessity and proportionality. Further clarity is also needed on temporary mass surveillance and bulk collection and further storage and dissemination of data.

  • The EDPB also expresses concerns regarding the lack of prior independent authority approval for bulk data collection under Executive Order 12333 and the lack of systematic independent ex post review by a court or equivalent independent body.
  • With respect to prior independent authorization of surveillance under Section 702 of FISA, the EDPB regrets that the FISA Court does not review compliance with Executive Order 14086 when certifying programs that authorize the targeted surveillance of non-U.S. persons, even though the intelligence agencies conducting the program are bound by that order. Reports from the PCLOB on how the protections of EO 14086 are implemented and how those protections are applied when data is collected under Section 702 of FISA and EO 12333 would be particularly useful.
  • Regarding the redress mechanism, the EDPS recognizes the additional safeguards that are envisioned, such as the role of the Special Advocates and the PCLOB's review of the redress mechanism.
  • At the same time, the EDPS is concerned about the general application of the DPRC's standard response informing the complainant that either no covered violations have been found or a finding has been made that requires appropriate remedial action, especially since this decision cannot be appealed.

The EDPS therefore invites the Commission to closely monitor the practical functioning of this mechanism. When I read the above, there is a big "yes, but". EDSA welcomes the "efforts" to continue the EU-US data protection agreement. But the sticking points is: If an adequate level of data protection for EU citizens is not achieved here, the European High Court (ECJ) is likely to overturn the third agreement again.

I assume that the EU Commission will now officially announce the adequacy decision, the industry will rush to the cloud rejoicing (all dams will burst). Then Max Schrems will take the agreement to the ECJ and file a lawsuit. The judges will certainly take their cue from the first two decisions. If the EU Commission cannot prove that there is an "equivalent" level of protection for EU citizens in the U.S. (I doubt it), the third data transfer agreement, the EU-U.S. Data Privacy Framework, will also be overturned. And then the catcalls in the industry and in authorities will be great again – "the evil data protection, no one could have guessed". It remains exciting and we will not run out of this topic so quickly – I guess.

Similar articles
European Court cancels EU-US "Privacy Shield"
Preliminary agreement between EU and US on the Trans-Atlantic Data Privacy Framework
US President Biden signs Executive Order for "Privacy Shield 2.0" data protection agreement


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).