May 27, 2022

A political agreement reached late last month between the European Union and US administrations on a new transatlantic data transfer agreement that aims to end years of legal uncertainty for companies exporting data from the bloc has yet to be finalized. deal in person It will be scrutinized in the coming months after the publication of the full text, and if it is adopted, new (and accelerated) legal issues are likely to arise, so everything depends on the details.

Yesterday, the European Data Protection Board (EDPB), which advises on compliance with EU data protection law, released a statement explaining that it will focus on assessing this detail, saying that it will “pay special attention to how these political spending”, the agreement is translated into specific legal proposals.

“After examining all supporting documents received from the EDPB European Commission, the EDPB awaits a thorough evaluation of the new structure, which should be improved in light of EU legislation, CJEU case law and previous Council recommendations,” the council said in a statement.

“The EDPB will specifically analyze whether the collection of personal data for national security purposes is strictly necessary and proportionate. In addition, the EDPB will review whether the claimed independent redress mechanism respects the EEA’s right to an effective remedy and a fair trial for individuals. In particular, the EDPB will consider whether the new body, which is part of this mechanism, has access to relevant information, including personal data, in the performance of its mandate and whether it can make decisions that affect the intelligence services. The EDPB will also consider whether there are any remedies available against the body’s decisions or inaction.

The EDPB also warned that the political deal is not yet a legal settlement, stressing that in the meantime, data exporters must continue to abide by the bloc’s Supreme Court case law; And especially with the July 2020 CJEU decision, also known as Shrems II, which canceled the previous EU-US Data Transfer Agreement (also known as the EU-US Privacy Shield Agreement).

Speaking of a political agreement reached last month to replace defunct privacy protections, the Biden administration said the US had promised “new security measures” that would ensure the “necessity and necessity” of data collection by government surveillance agencies. “Will be proportionate” and “certain national security goals”.

The conflict between the primacy of US surveillance laws and strong privacy rights in the EU remains a fundamental rift, so it’s hard to see how any new deal could face new legal challenges if it doesn’t solve the problem of mass surveillance in the US. on programs.

The replacement agreement should provide EU citizens with a good way to seek redress and damages if they believe they have been unfairly targeted by US intelligence agencies. And it seems difficult.

Last month, before announcing the political deal, The Hill sued the US over FBI surveillance. The Supreme Court decision said it made the chances of a deal more difficult as the court denied that privilege. Finding out that Congress did not abolish this privilege by implementing surveillance reforms in the Foreign Intelligence Surveillance Act (FISA).

“While the ballot leaves the possibility that people like Prosecutor Fazaga can still make allegations of government surveillance based on publicly available information, most people need confidential information from the government to prove that surveillance is illegal. This decision could make it easier for the government to withhold such information from judges and therefore make it harder for most people challenging surveillance to prove their claims and get justice in court.

The need for deeper reforms in FISA has been the main appeal of critics of previous data transfer agreements between the EU and the US (before the Privacy Shield, there was Safe Harbor, which was canceled by the CJEU in 2015).

Last month, the White House said the agreement would, in principle, allow EU individuals “to be redressed through a new tiered redress mechanism consisting of an independent data protection tribunal made up of non-U.S. government-appointed decision-makers.” rights will be enabled. File a complaint and take corrective action if necessary.”

However, as emphasized in the EDPB statement, the legal status of this “supervisory court” will be important.

In addition, if the US Supreme Court takes a different stance that essentially ignores any deal, the Biden administration promises it will make it impossible for EU citizens to get the information they need to file lawsuits against the US government. European Union people Actually Indemnification … and, well, the CJEU has made it clear that EU individuals who are subjected to illegal surveillance in a third country must have a real and real way of being held accountable.

The EDPB statement clarifies these concerns clearly: the board says that any “new authorization” created from a claim for damages will require “access to relevant information, including personal data” in order to fulfill this mission. execute; And they should also be able to make decisions that are binding on the intelligence services.

It is worth remembering that the Privacy Shield Ombudsman rule tested in the Privacy Shield has not been adopted by the CJEU – both are based on independence And Because of the Ombudsman’s inability to make binding decisions for the special services.

How different the Data Protection Review Court will be in this regard remains to be seen.

Max Schrems, an EU privacy activist who has successfully implemented the last two EU-US data transfer agreements, remains skeptical that the latest “solution” offers anything fundamentally different – he recently tweeted a striking visual a metaphor for your initial image to illustrate. ,

If there is no real regulatory reform in the US, it is possible that the end of the data cycle will be as difficult as the last two turns around the corner. But even if the political need to strike a deal within the EU closes a clear legal gap – since the previous Commission ignored concerns and passed the Privacy Shield – it could only mean buying time for both sides. Until the next CEC strike.

Maybe not even for long.

While Safe Harbor has been around for 15 years, the Privacy Shield has only been around for four years. That’s why EU lawmakers have been warned.

Leave a Reply

Your email address will not be published.