European Commission adopts adequacy decision for EU-U.S. Data Privacy Framework

[German]After the U.S. recently declared that it has implemented the terms of the EU-U.S. data transfer agreement "Transatlantic Data Privacy Framework" (DPF) and complies with the requirements, the EU Commission is following suit. On July 10, 2023, the EU Commission issued the expected adequacy decision for the EU-U.S. data transfer agreement "Transatlantic Data Privacy Framework" (DPF). The business community is celebrating the decision, Max Schrems with his organization noyb has announced the review of the DPF by the European Court of Justice.

I was actually waiting daily for the EU Commission's decision on the matter, because as of July 4, 2023, U.S. Secretary of Commerce Gina Raimondo had announced the execution of the terms of the EU-U.S. data transfer agreement "Transatlantic Data Privacy Framework" (DPF). I had reported on this event in the blog post U.S. declare they complies with obligations under the EU-U.S. Data Privacy Framework.

EU Commission adopts adequacy decision

On July 10, 2023, the European Commission voted, as expected, to adopt its adequacy decision for the EU-US Data Protection Framework (DPF). The text can be downloaded as a PDF document from this website, and an FAQ on the decision can be found here.

With the document, the EU Commission concludes that the United States provides a level of protection for personal data transferred under the EU-US data protection framework by a controller or processor in the EU to certified organizations in the United States that is substantially equivalent to the EU. With the adequacy decision, the transfer of personal data from controllers and processors in the EU to certified organizations in the U.S. is possible without further authorization.

The EU-US data protection framework introduces new binding safeguards to address all concerns raised by the European Court of Justice, the EU Commission is certain, at least in its press release. According to the EU Commission's reading, these include limiting U.S. intelligence agencies' access to EU data to what is necessary and proportionate, and establishing a data protection review court to which EU citizens have access.

The new framework brings significant improvements compared to the mechanism that existed under the Privacy Shield, the EU Commission explains. For example, if the Data Protection Review Court (DPRC) finds that data was collected in violation of the new safeguards, it can order the deletion of the data. The new safeguards in the area of government access to data will complement the commitments that U.S. companies importing data from the EU must make, the Commission writes.

EU Commission President Ursula von der Leyen said: "The new EU-US data protection framework will ensure secure data flows for Europeans and provide legal certainty for businesses on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the U.S. has made unprecedented commitments to create the new framework. Today, we are taking an important step to give citizens confidence that their data is secure, deepening our economic relationship between the EU and the U.S. while reaffirming our shared values. It shows that we can tackle even the most complex problems together."

noyb: Privacy advocate will call the european court

The data privacy organization noyb of Austrian Max Schrems, who has already overturned the two previous data protection agreements between the EU and the U.S. through lawsuits before the European Court of Justice, sees the situation differently. The supposedly "new" transatlantic data protection agreement is largely a copy of the failed "Privacy Shield" agreement, he says. Contrary to what the European Commission claims, he sees only little changes in U.S. law: the fundamental problem with FISA 702 has not been addressed by the United States. As a result, only U.S. persons would still have constitutional rights and could not be subject to warrantless surveillance – which Europeans are not entitled to.

In a statement

noyb breaks down in detail where the sticking points lie. According to the organization, the Americans put the EU under pressure over the agreement after the start of the Ukraine conflict. The EU Commission and the U.S. president had reached into their bag of tricks and included the term "proportional" in the "Agreement in Principle." But the interpretation of what is proportionate differs between the US and the EU. It is quite instructive to read noyb's opinion on this.

According to noyb, the European Commission's third attempt to reach a stable agreement on data transfers between the EU and the US will end up before the European Court of Justice (ECJ) again in a few months. Schrems writes on noyb:

They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like 'Privacy Shield' the latest deal is not based on material changes, but by political interests. Once again the current Commission seems to think that the mess will be the next Commission's problem. FISA 702 needs to be prolonged by the US this year, but with the announcement of the new deal the EU has lost any power to get a reform of FISA 702.

We now had 'Harbors', 'Umbrellas', 'Shields' and 'Frameworks' – but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the once from the past 23 years. Just announcing that something is 'new', 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don't have it.

Schrems says that they already have the challenge of the new agreement in court in the drawer. The people at noyb expect that the new agreement will be used by the first companies in the next few months. This will open the way for a challenge. According to Schrems, it is not unlikely that a challenge will be submitted to the ECJ by a national court by the end of 2023 or early 2024. The ECJ would then even have the option of suspending the new agreement for the duration of the proceedings. A final decision would be expected in 2024 or 2025. Regardless of whether such a challenge will be successful, this will bring clarity to the "Trans-Atlantic Data Privacy Framework" in about one to two years. Max Schrems on this:

We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law we will then get an answer if the Commission's tiny improvements were enough or not. For the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal – we seem to just add another two years of this ping-pong now.

This third attempt to make largely the same illegal decision also raises questions about the role of the European Commission as guardian of the EU treaties, noyb said. Instead of upholding the rule of law, the Commission simply keeps issuing an invalid decision – despite clear rulings by the ECJ. Despite great outrage after the Snowden revelations in the EU and repeated calls from the European Parliament to take action, the Commission seems to prioritize relations with the US and economic pressure on both sides of the Atlantic over the rights of Europeans and the requirements of EU law, Schrems said.