{"id":25673,"date":"2023-07-10T15:49:37","date_gmt":"2023-07-10T15:49:37","guid":{"rendered":"https:\/\/entertainment.runfyers.com\/index.php\/2023\/07\/10\/europe-adopts-us-data-adequacy-decision\/"},"modified":"2023-07-10T15:49:37","modified_gmt":"2023-07-10T15:49:37","slug":"europe-adopts-us-data-adequacy-decision","status":"publish","type":"post","link":"https:\/\/entertainment.runfyers.com\/index.php\/2023\/07\/10\/europe-adopts-us-data-adequacy-decision\/","title":{"rendered":"Europe adopts US data adequacy decision"},"content":{"rendered":"


\n<\/p>\n

\n

The European Union has adopted a new transatlantic data adequacy agreement with the US.<\/p>\n

The much anticipated decision means there\u2019s an immediate resolution to legal uncertainty around exports of EU users\u2019 personal data by US companies \u2014 a problem that\u2019s affected thousands of business in recent years, big and small, including the likes of Meta<\/a> and\u00a0Google<\/a>\u00a0to name a couple of the most high profile examples.<\/p>\n

Speaking during a press conference announcing the adequacy decision, EU justice commissioner Didier Reynders sounded confident that this time \u2014 the third such\u00a0 arrangement the bloc\u2019s executive has granted the US \u2014 will indeed be third time lucky.<\/p>\n

\u201cWith the adoption of the adequacy decision, personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorizations,\u201d he said. \u201cTherefore, the adequacy decision, ensure that data can be transmitted between the European Union and the US on the basis of a stable and trusted arrangement that protects individuals and provides legal certainty to companies.\u201d<\/p>\n

Political agreement on the EU-U.S. Data Privacy Framework (DPF) was announced back in March 2022\u00a0<\/a>but it\u2019s taken over a year to get all the \u2018i\u2019s dotted and \u2018t\u2019s crossed. While the prior mechanism for simplifying exports of data over the pond was invalidated by EU judges almost three years ago<\/a>. So the adoption of a new adequacy deal really does pull the shutter down on years of legal uncertainty affecting major US cloud services and scores of other digital players.<\/p>\n

That said, the big question for the DPF is how enduring this third EU-US data adequacy agreement will be \u2014 and that very much remains to be seen, despite the EU taking more time than it did last time to sweat the detail of the new framework.<\/p>\n

At today\u2019s press conference Reynders was sounding a lot more bullish than usual on this topic, arguing the framework is not simply a copypaste of earlier (failed) transfer mechanisms but \u201ca very different system\u201d \u2014 one he suggested is \u201ca very robust solution\u201d to an entrenched legal divide.<\/p>\n

He also suggesting the EU has listened closely to feedback as it worked to finalize a framework he claimed ensures \u201cfull compliance with the conditions set in the ruling of the EU\u2019s highest court\u201d.<\/p>\n

\u201cThis was my mandate and my focus in these negotiations, and this is reflected in the solutions we have obtained,\u201d he suggested. \u201cThey specifically address the requirements set by the court as regards the need for limitations and safeguards for access to data by US intelligence agencies in line with the principles of necessity and proportionality and the need to ensure effective redress for EU individuals.\u201d<\/p>\n

Nonetheless legal challenges to the DPF are on the way. Both predecessor arrangements (aka, Safe Harbor<\/a> and Privacy Shield<\/a>) were struck down by the bloc\u2019s top court after judges found exported personal data was not protected to the required legal standard given risks posed by sweeping US surveillance powers. And privacy campaigners are warning the new framework could be in front of the CJEU within months.<\/p>\n

One key point for critics is that since Privacy Shield\u2019s demise we have still not seen reform of US surveillance powers, with no moves by lawmakers to accept the need to reform the controversial FISA 702 provision and pass protections for foreigners\u2019 information.<\/p>\n

That means, at root, the DPF is still papering over the same fundamental legal conflict, between EU privacy rights and US surveillance powers, and could inexorably face the same assessment of inadequacy once EU judges get to scrutinize the detail.<\/p>\n

In recent months a number of other EU institutions have raised concerns<\/a> that the Commission\u2019s planned replacement lacks clarity<\/a>, also suggesting the tweaks on the prior approach may fall short of delivering the necessary essential equivalence in protection for data when it\u2019s over the pond. Although there has also been a recognition by bodies such as the European Data Protection Board that the DPF goes further than earlier data transfer deals. The question is whether it goes far enough to meet the CJEU\u2019s bar.<\/p>\n

The Commission decision itself doesn\u2019t mean much since it\u2019s solely responsible for adopting EU adequacy decisions \u2014 and Reynders conceded that today\u2019s green light is essentially a \u201cunilateral\u201d decision by the EU\u2019s executive \u2014 so the bloc\u2019s lawmakers are in the luxurious position of getting to mark their own homework once again, despite a history of getting these self-same equations wrong.<\/p>\n

Privacy campaign group noyb \u2014 whose founder and chairman, Max Schrems, was behind the original complaint against Facebook\u2019s EU-US data transfers \u2014 remains critical of the framework.<\/p>\n

Responding to the Commission\u2019s adequacy decision announcement today, noyb<\/a> confirmed it will lodge a legal challenge \u2014 saying it has \u201coptions for a challenge\u201d ready to be sent to regulators and expects the issue to be back with the CJEU by the beginning of next year. <\/span><\/p>\n

\n
\n

So we are “partners” with the US, but the US continues to say that EU citizens are “second class” and do not have fundamental rights (under the 4th Amendment). #TADPF<\/a><\/p>\n

\u2014 Max Schrems \ud83c\uddea\ud83c\uddfa (@maxschrems) July 10, 2023<\/a><\/p>\n<\/blockquote>\n<\/div>\n

If noyb\u2019s slated timeline holds, it would still have to be followed by months (or even years) of deliberation by the bloc\u2019s court. So a final verdict on the DPF could be years away. (For some comparative context, legal questions pertaining the DPF\u2019s predecessor, Privacy Shield, were referred to the court in <\/span>May 2018<\/a> \u2014 with the CJEU ruling striking down the mechanism landing in July 2020.)<\/span><\/p>\n

For now, Schrems and noyb argue the new framework is largely the same as the Privacy Shield that failed to pass must with EU judges \u2014 dismissing the main changes highlighted by EU and US teams involved in negotiating the replacement deal, such as the US apparently adopting an EU law principle of \u201cproportionate\u201d data use.\u00a0 noyb suggests this amounts to proportionality theatre, arguing the US is not assigning the same definition to the term that EU judges would understand in the Executive Order attached to the DPF where the US now vows its surveillance of foreigners will be \u201cproportionate\u201d.<\/p>\n

They are also also unimpressed by an attempt in the DPF to rework another problem that led to the CJEU skewering Privacy Shield \u2014 related to redress. So instead of the latter\u2019s ombudsperson the DPF offers up a Civil Liberties Protection Officer and what\u2019s being named as a \u201cCourt\u201d. But which, they point out, is not actually a court of law; rather it\u2019s a \u201cpartly independent executive body\u201d \u2014 hence summing up the changes as only \u201cminor improvements\u201d.<\/p>\n

\u201cThey say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like \u2018Privacy Shield\u2019 the latest deal is not based on material changes but by political interests,\u201d argued Schrems in a statement. \u201cOnce again the current Commission seems to think that the mess will be the next Commission\u2019s problem. FISA 702 needs to be prolonged by the US this year but with the announcement of the new deal the EU has lost any power to get a reform of FISA 702.\u201d<\/p>\n

Anticipating the key lines of attack Reynders took some time to tackle both areas in his remarks today \u2014 fleshing out why the Commission thinks this deal is different and will stick.<\/p>\n

\u201cWe have achieved significant changes to the US legal framework to address these two sets of requirements,\u201d he suggested. \u201cThis new framework is substantially different than the EU-US Privacy Shield as a result of the Executive Order issued by President Biden last year following our negotiations. The necessity and proportionality requirements are now clearly spelled out through binding and enforceable safeguards in the US legal order.<\/p>\n

\u201cIn practice this means that when deciding whether and to what extent US intelligence agencies should access data, they will be required to balance the same factors as those required by the case law of the EU Court of Justice. These factors include the nature of the data, the seriousness of the threat, or the likely impact on the rights of individuals. On that basis, each US intelligence agency has reviewed its internal rules and procedures to implement these new requirements at the operational level.\u201d<\/p>\n

On the reworked redress mechanism, Reynders described it as \u201can independent and impartial tribunal that is empowered to investigate complaints lodged by Europeans and to issue binding remedial decisions\u201d, also noting the body has the power to oder the deletion of data collected in violation of the requirements of necessity or proportionality.<\/p>\n

He further emphasized that the Commission has paid attention to accessibility of redress \u2014 suggesting the mechanism has been designed to be \u201cuser friendly\u201d, and noting there\u2019s no charge for EU people to lodge a complaint (which he stipulated they can do in their own language via their local data protection authority which will then channel the complaint to the relevant authorities for them).<\/p>\n

\u201cVery low admissibility requirements will apply,\u201d he emphasized. \u201cIn particular, the complainant will not have to demonstrate that their data has been accessed by US intelligence agencies. This is a very important and this is crucial to ensure effective access to redress in an area which is by nature secret.<\/p>\n

\u201cBefore the [tribunal] the complainant\u2019s interest will be represented by a special advocate, again, free of charge with the necessary security clearances. These proceedings involve a certain degree of secrecy. With a special advocate, the court will take its decision only after hearing both sides. Finally, the functioning of this redress mechanism, including due process aspects and compliance with the decisions of the new court, will be overseen by an independent body specifically responsible for data protection, the Privacy and Civil Liberties Oversight Board.\u201d<\/span><\/p>\n

\u201cThe principles of the Data Privacy Framework are solid and I\u2019m convinced that we have made significant progress which meets the requirements of the Court,\u201d Reynders also said, before offering a word of caution to US authorities vis-a-vis the need to actually deliver on their commitments.<\/p>\n

\u201cAt the same time the Commission will be paying particularly close attention to implementation of this new legal framework and will not hesitate to react in case of any problems or issues,\u201d he warned.<\/p>\n

Cynics might say the whole EU-US adequacy saga is simply a way for lawmakers on either side of an immoveable legal schism to buy another few years\u2019 grace (and keep the wheels of commerce turning) by repeatedly kicking the flash-point down the road \u2014 leaving EU regulators and courts saddled with the resulting fall-out (and businesses facing yet another expensive legal mess if the deal ends up being unpicked yet again).<\/p>\n

It\u2019s a point of view that\u2019s lent credence when you consider how Meta, which has been subject to a complaint over its EU-US data transfers for around a decade \u2014 and was finally, earlier this year<\/a>, ordered to suspend data flows after EU privacy regulators confirmed the breach of the bloc\u2019s data export requirements \u2014 has never actually had to stop shipping out Europeans\u2019 data despite the exports being found to be unlawful.<\/p>\n

In May the tech giant was given a period of around six months to comply with the data suspension order. Now, a few weeks on from that order we have a freshly ratified high level transfer mechanism for the company to latch onto it \u2014 meaning it can simply ignore the still ink-wet suspension order by switching its claimed legal basis for data exports to the DPF and avoid actually having to suspend any data flows, essentially dodging hard enforcement (albeit, with a bill of around $1.3BN to pay<\/a>).<\/p>\n

This seemingly neverending dance \u2014 which noyb dubs a frustrating \u201clegal ping pong\u201d \u2014 illustrates how challenging it is for EU citizens to exercise the privacy rights the law claims exists to protect their information, even as tech giants with lucrative data-mining business models get to carry on trampling people\u2019s rights as per usual, just so long as they make enough profit to be able to write off any penalty payments as a cost of doing business.<\/p>\n

Still, Reynders had a word of caution for US tech giants too today \u2014 noting: \u201cIt will be for the companies to show that they\u2019re in full compliance with the GDPR [General Data Protection Regulation].\u201d <\/span><\/p>\n

And on that front Meta, at least, does have a growing headache as EU regulators<\/a> \u2014 and, most recently, the CJEU<\/a> \u2014 have cast doubt upon the legal basis it claims for processing people\u2019s data for ad targeting. <\/span>So even if the adtech giant won\u2019t now be forced to cut off all <\/span>its EU-US data flows some hard reforms to how it operates its behavioral advertising business in the EU do now look unavoidable.\u00a0<\/span><\/p>\n<\/p><\/div>\n