Politics

European Commission publishes draft adequacy decision on EU-US data flows – EURACTIV.com


The European Commission initiated the formal process for adopting an adequacy decision on the EU-US Data Privacy Framework on Tuesday (13 December). But the third attempt to underpin transatlantic data transfers is bound to face more legal challenges.

The draft decision follows the signature of the executive order by US President Joe Biden in October intended to introduce safeguards for EU resident’s personal data, notably by limiting the access of US intelligence agencies and introducing an independent redress mechanism.

The disproportionate access of US security services to European bulk data, first revealed by Edward Snowden in 2013, was one of the crucial reasons why the transfer of personal data across the Atlantic was deemed illegal by the EU Court of Justice twice in the landmark Schrems rulings.

In particular, the EU top court found that the US jurisdiction did not provide adequate protection for personal data. At the same time, the US legal system did not allow legal challenges such as data processing wrongdoings in court, while legal redress is a core EU principle.

Therefore, ever since the Schrems II ruling in July 2020, the European Commission and the US administration have been scrambling to create a new legal framework that would avoid legal uncertainty for the hundreds of companies operating in the trillion-worth transatlantic trade.

“Over the past months, we assessed the US legal framework provided by the Executive Order as regards the protection of personal data. We are now confident to move to the next step of the adoption procedure,” said EU Commissioner for Justice Didier Reynders in a statement.

Data adequacy process

The Commission deems the new legal framework based on the Executive Order to be comparable to European data protection standards, meaning that the personal data of EU residents can be safely and legally transferred on the other side of the Atlantic.

Publishing the draft decision is only the first formal step of the process to rubber stamp a foreign jurisdiction as having an adequate level of data protection. The next step will be for the European Data Protection Board, which gathers all EU data protection authorities, to issue an opinion.

The decision will then need the approval of a committee formed by member states’ national representatives before the formal adoption, which the Commission hopes to achieve by the summer of 2023.

Meanwhile, the EU Parliament and Council could challenge the decision if they deem the Commission overstepped its powers.

If confirmed, the data adequacy decision would be regularly reviewed to ensure that the relevant elements from the US legal framework have been fully implemented and are functioning effectively in practice. The reviews will start one year after the adoption of the decision.

Legal challenges

The Executive Order was anticipated by an agreement ‘in principle’ announced by US President Biden and European Commission President Ursula von der Leyen in March. Since then, the two executives have tried to nail down a technical arrangement that would stand in court.

“As the draft decision is based on the known Executive Order, I can’t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again, whichin flagrant breach of our fundamental rights,” said Max Schrems, the Austrian lawyer who gave the name to the two landmark rulings.

When the Executive Order came out, Schrems pointed to several criticalities—starting with the fact that the US administration accepted to reign in the surveillance activities of its intelligence services to what is ‘necessary’ and ‘proportionate’, two fundamental concepts of EU law.

However, the Austrian activist argued that there is little indication that US mass surveillance will change in practice since the American and European legal systems and practices diverge significantly in what they define as necessity and proportionality.

Regarding legal redress, Schrems also questioned whether the Data Protection Review Court established by the Executive Order is an actual court since it will be part of the US executive branch. In his view, this arrangement is an upgraded version of the Ombudsperson that the EU top court has previously rejected.

Try before you despise

“I’m sure we will have a new discussion before the Court of Justice. Processing personal data is in the business model of many Big Tech companies. But going before the Court of Justice is maybe in the business model of Mr Schrems,” Commissioner Reynders told EURACTIV last week.

Reynders insisted that it was confident the new legal arrangement was genuinely robust and invited sceptics to test the redress mechanism by challenging some decisions by US intelligence agencies before trying to shoot the whole system down.

[Edited by Alice Taylor]





Read More:European Commission publishes draft adequacy decision on EU-US data flows – EURACTIV.com

2022-12-13 14:55:25

Get real time updates directly on you device, subscribe now.

Business News Updates

Having a business name does not separate the business entity from the owner, which means that the owner of the business is responsible and liable for debts incurred by the business. If the business acquires debts, the creditors can go after the owner's personal possessions. A business structure does not allow for corporate tax rates. The proprietor is personally taxed on all income from the business.

You might also like More from author
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Get more stuff like this
in your inbox

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

We respect your privacy and take protecting it seriously