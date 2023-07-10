



The European Commission has adopted its Adequacy Decision for the EU-US Data Privacy Framework, concluding that it ensures that US protection of personal data transferred between countries is comparable to that offered in the EU.

But even as its finalization was announced on Monday, the new framework, which comes into force on July 11, is set to face a legal challenge.

“Personal data can now flow freely and securely from the European Economic Area to the United States without any further conditions or authorization,” EU Justice Commissioner Didier Reynders said Monday at a press conference. “The adequacy decision ensures that data can be transferred between the European Union and the United States on the basis of a stable and reliable agreement that protects individuals and provides legal certainty for businesses.”

The agreement comes just days after the US Department of Justice and the US Office of the Director of National Intelligence announced the fulfillment of commitments made under President Joe Biden’s executive order regarding the framework. Twenty-four EU member states representing a population of over 424 million voted on July 7 in favor of the DPF while three unnamed member states abstained.

The US International Trade Administration has launched a Data Privacy Framework website that includes information on self-certification, participating organizations, enforcement and more.

A welcome decision

A press release issued by the European Commission said that “the EU-US data privacy framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to data from the EU by US intelligence services to what is necessary and proportionate”. and the creation of a Data Protection Review Tribunal.”

Reynders said the framework “clearly” sets out necessity and proportionality requirements and “enforceable safeguards” with a “user-friendly” redress mechanism. The new Data Protection Review Court will have the power to order the deletion of data if it is found to have been collected in breach of the new safeguards, he noted. And Europeans will be able to file a complaint free of charge with their local data protection authority, without having to demonstrate that their data has been accessed by US intelligence agencies, an improvement which he described as “important and crucial to guarantee effective access to remedies, which is sacred.”

European Commission President Ursula von der Leyen said the new framework “will ensure safe data flows for Europeans and provide legal certainty for businesses on both sides of the Atlantic”. The United States, she said, “has implemented unprecedented commitments to establish the new framework.”

Under the US Commitments, EU member states as well as Iceland, Liechtenstein and Norway are “eligible states” and citizens will be able to seek redress from the Data Protection Review Court while still obtaining US enhanced privacy protections.

Alexander Joel, Scholar-in-Residence at American University’s Washington College of Law and Adjunct Professor, CIPP/G, CIPP/US, said the United States had taken “unprecedented steps” to address the issues raised by the CJEU. Joel, former chief of the civil liberties office in the Office of the Director of National Intelligence, said, “When read in light of American law and legal traditions, the new executive order provides many reasons for the CJEU to conclude that the United States provides protections that are substantially equivalent to those provided by EU law.”

The European Data Protection Board will produce “an information note for stakeholders on the implications of the DPF” in the coming weeks, Chairman Anu Talus said.

The EDPB “looks forward to the participation of the European Commission in its next plenary meeting, where it will shed light on the final text of the adequacy decision and on the changes following the opinion of the EDPB”, said she declared.

‘Schrems III’ coming soon

The EU-US Data Privacy Framework replaces the EU-US Privacy Shield, which was struck down by the European Court of Justice in July 2020. Since then, Reynders has said it is “a absolute priority” for the commission to restore stability and continuity in the protection of European data crossing the Atlantic.

While Reynders said the framework is “substantially different from the EU-US Privacy Shield”, privacy organization NOYB, which has legally challenged the Privacy Shield and its predecessor the Safe Harbor Framework, said it was “largely a copycat”.

NOYB said it would appeal the framework, noting that “the third attempt by the European Commission to secure a stable agreement on EU-US data transfers will likely be back in the Court of Justice. (of the European Union) in a few months”. The organization said the US failed to address “fundamental” surveillance issues.

“They say the definition of insanity is doing the same thing over and over again and expecting a different outcome. Much like the ‘Privacy Shield’, the latest deal is not based on material changes, but over political interests. Once again, the current Commission seems to think that the mess will be the problem of the next Commission,” said Max Schrems, Honorary Chairman of the NOYB. “We now had ‘ports’, ‘umbrellas’ “, “shields” and “frames”, but no substantial change in US surveillance law. Merely announcing that something is “new”, “robust” or “effective” does not cut it before the Court of Justice. We would need changes in US surveillance law to make it work and we just don’t have it.

Reynders responded to NOYB’s announcement at Monday’s press conference, saying the new system should be tested before announcing a legal challenge.

“I’m sure we have a very strong case to show that we now have a very different system than what we had with Safe Harbor and also with the Privacy Shield,” he said. “We are very confident not only to implement such an agreement, but to defend such an agreement in all the different procedures that we will have to face. Again, this is only a proposal, but why not test the new system before going too far in criticizing such a system.”

Joel said how well the executive will fare before the CJEU is “of course the million dollar question”.

“What is evident now is that within the next two years the CJEU is expected to rule on whether the EU-US data protection framework provides safeguards substantially equivalent to those required by EU law. In the meantime, the adequacy decision should allow data flows to continue, including through mechanisms such as (standard contractual clauses) and (binding corporate rules).”

As the suitability decision is finalized and the ensuing litigation unfolds, Joel said he “hopes” that if any particular concerns emerge “there will be room to figure out how to resolve them, thanks to greater transparency and mutual understanding, or even policy changes”.

But what if the US protections in the new framework aren’t enough to withstand legal challenges?

“Well, as legal scholars like to say, it depends. If the Court makes a decision that is fundamentally inconsistent with the Supreme Court’s rulings on standing and would therefore require a constitutional amendment, then I think we we will be facing a potentially intractable crisis,” he said. “I have heard from European friends and colleagues that it is simply not an option to change EU legislation, for example (the General Data Protection Regulation) to help resolve these kinds of data flow issues. In that sense, I think American experts would be unanimous in saying that amending the Constitution would be off the planet.”

