Brussels on Monday announced that the transfer of personal data to the US can legally take place after securing safeguards over access by intelligence agencies and the creation of a redress mechanism for EU residents.
The adequacy decision means Brussels considers that Washington ensures a level of protection comparable to that of the EU for personal data transferred from the bloc to US companies.
The deal comes three years after the Court of Justice of the EU (CJEU) invalidated the previous adequacy decision on the EU-U.S. Privacy Shield and more than a year after Commission chief Ursula von der Leyen and US President Joe Biden announced that they had reached an agreement in principle on a new transatlantic data flows framework.
Since then, Biden signed an executive order to strengthen privacy and civil liberties safeguards for US intelligence agencies and to create a new independent and binding mechanism for individuals to seek redress if they believe their data was wrongfully collected by intelligence agencies.
“I welcome the important commitments taken by the US. So that citizens can trust that their data is safe and so we can deepen economic ties,” von der Leyen said in a tweet in reaction to the announcement on Monday.
The European Centre for Digital Rights (NOYB), an NGO headed by Max Schrems, the privacy activist who successfully challenged previous adequacy decisions, has already announced it will once again turn to the courts.
It argues that this new attempt to get a transatlantic data privacy framework in place is “largely a copy of the failed ‘Privacy Shield'” and that the fundamental problem in US foreign intelligence laws “was not addressed”.
“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year,” Schrems said in a statement.
New framework is ‘substantially different’
Asked about the prospect of further litigation, Commissioner for Justice Didier Reynders told reporters: “I’m sure we have very robust arguments to show that we now have a very different system”.
He said Brussels had “achieved significant changes to the US legal framework” to address the requirements previously spelled out by the CJEU and that “this new framework is substantially different than the EU-US Privacy Shield”.
“Why not test a new system before going too far in the criticism of such a system?,” he added.
He stressed for instance that the redress mechanism will be free of charge and available in every EU language as complaints will be made through national data protection authorities.
They will then be transmitted to the European Data Protection Board which will transfer them to the US where they will be first investigated by the so-called ‘Civil Liberties Protection Officer’ of the US intelligence community. They will be tasked with evaluating whether intelligence agencies complied with privacy and fundamental rights and whether the principles of necessity and proportionality were respected.
In the event the EU plaintiff disagrees with this first assessment, the complaint can then be escalated to a newly created Data Protection Review Court (DPRC) that will be composed of members from outside the US government, who cannot be dismissed without cause and who cannot receive instruction from the government.
This new independent body will be given powers to investigate complaints and can take binding remedial decisions including the deletion of the data.
Julia Kaufmann, IT and data partner at Osborne Clarke, a London-based international legal practice, told Euronews that the executive order the new adequacy decision relies on — EO 14086 — ensures that the rights granted “are provided to all persons, regardless of their nationality or where they reside.”
“I cannot find anything in EO 14086 that would support the statement of Mr. Schrems that the rights provided are limited to US persons.”
“The question is not whether all the rights granted under a constitution apply also to non-citizens, the question is whether the laws and practices in a third country are adequate from an EU perspective. Of course, what we do not know at this point is whether the actual practice in the US will follow the laws. That is something the EU Commission will need to monitor and has committed to do so,” she added.
The adequacy decision will come into force on Tuesday with a first review to take place within one year after the entry into force “to verify whether all relevant elements of the US legal framework are functioning effectively in practice,” the Commission said in a statement.
Further reviews will then take place at least every four years.