New data privacy framework EU US

The New EU-US Data Privacy Framework after Schrems II

NewsMay 11, 2024

During the summer of 2023, on July 10th, the European Commission adopted the adequacy decision for the E.U.-U.S. Data Privacy Framework. The decision is the result of a long and troubled path, during which the Court of Justice of the European Union had unhinged the E.U.-U.S. personal data transfer system.

The G.D.P.R. requires that any data transmission made by a Data Controller established in the territory of the Union to another Data Controller or Processor established in a Third Country should follow the European regulatory, whether or not the processing is carried out in the Union (art. 3, par. 1 of the G.D.P.R.).

However, since 2015, the European Judge had declared inadequate the level of personal data protection offered by the U.S. compared to the European one. As a consequence, the European Court of Justice invalidated in 2015 the “Safe Harbour” agreement (“Schrems I” case) and, after – again – in 2020, the adequacy decision 2016/1250 of the E.U. Commission on the “Privacy Shield” agreement (Schrems II” case).

With specific reference to this judicial decision, the Court underlined that the inadequacy laid down on the fact that the U.S. law permitted to public authorities (in particular, to intelligence) to access to people personal data transferred from the EU to the U.S. for national security purposes, without guarantee to data subjects enforceable rights against U.S. authorities in court.

As a result, the U.S. Government took actions to provide a new data privacy framework, so that another adequacy decision would had been approved.

On July 2023, the European Commission adopted the adequacy decision 4745/2023, based on the U.S. presidential Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” of October 7th, 2022.

This last framework aims to give an answer to those issues brought up by the E.C.J., innovating the U.S. data protection system on two main levels.

First, binding limits of data access are imposed to public authorities while carrying on intelligence activities. Basically, such kind of surveillance activities are not banned, but they must be necessary and proportionate in order to protect specific and defined national security objectives. To guarantee the continuous respect of these requirements, an oversight mechanism of compliance should be implemented.

Second, the level of protection of human rights of any kind and nature is evaluated not just through the “quality” of the abstract set of norms, but also through its enforcement and judicial (or para-judicial) systems that guarantee their effectiveness.

The E.O. defines a multi-layer mechanism for individuals to obtain binding review and redress of claims on violation of data protection regulation, including the enhanced safeguards in the E.O.

On the one hand, a preliminary phase of protection is conducted by the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (C.L.P.O.): after received a complaint, the C.L.P.O. carries on investigations and, then, informs complainants about the results.

This means that people are not required to fully demonstrate by themselves the foundations of their complains, but such activity is conducted by a specialized organism.

On the other hand, the E.O. establishes a Data Protection Review Court (D.P.R.C.), providing independent and binding review of the C.L.P.O.’s decisions concerning the actual existence of a violation claimed. In particular, the Court has the power to review cases, and solving the controversy by preferring protections against removal.

Another guarantee provided by the E.O. is the appointment of a special advocate, with relevant experience, for each case, who supports the Court activities, ensuring that judges are well-informed about the issues and the applicable law, with specific reference to the matter and, consequently, that complainants’ interests are correctly represented.

In order to guarantee the independence requirements, judges will be appointed from outside the U.S. Government. Specifically, they should be selected from professionals with relevant experience in the fields of data privacy and national security.

The European Commission’s adequacy decision is also based on the principle of private business compliance. Despite the safeguards just explained should be put in action specifically by the U.S. Government, the decision still required that private companies, which process data came from the E.U. territory, have to self-certify their adherence to the principles formulated by the U.S. Department of Commerce, such as providing notice to consumers about the type and the purpose of the data collection, whether the data collected could be transferred to a third-party and guaranteeing an high-level of security by adopting reasonable and appropriate measures of data compliance.

In conclusion, the adequacy decision has immediately entered into force, so that it is already applied to all European data transfers processed by U.S. companies and public authorities.

Its effects and way of application should be continuously monitor by the Commission and, where necessary, the decision should be updated. According with the European Commission, the first periodic review of the framework is fixed for 2024, in which occasion the analysis will cover, above all, the effectiveness in practice of the U.S. guarantee system.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Leave a Reply

Your email address will not be published.