As the detail of the preliminary deal for international data transfers between the US and the EU emerges it is clear it is not palatable to some privacy activists, in fact Max Schrems calls it “lipstick on a pig”!
So what have we learned about this preliminary deal? Well according to the White House Fact Sheet and the EU Commission infographic it is an agreement in principle to be known as the Trans-Atlantic Data Privacy Framework (“the Framework”). The two sides have intensified negotiations to finalise the details and prepare the Executive Order for the US and the legal texts that are required for the draft adequacy decision from the European Commission. As we know from the UK’s walk along the adequacy path there are many twists and turns before a conclusion is reached. It will be a number of months after the legal texts are prepared before we may finally see a finding of adequacy for the US – and let’s not forget the inevitable challenges!
Max Schrems has already set out his stall, saying on the day the preliminary deal was announced “[a] decision can quickly be challenged with the European Court of Justice. noyb expects to be able to get any new agreement that does not meet the requirements of EU law back to the CJEU within a matter of months e.g. via civil litigation and preliminary injunctions. The CJEU may even take preliminary action, if a deal is clearly violating previous judgements.”
While the ideological fracas continues, those interested in the specifics of the new deal will no doubt be asking where the breakthrough has been made? Some might argue the US commitment “to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives” and the willingness “to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities” has certainly helped.
Examples of commitments from the US include:
“(i) Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
(ii) EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
(iii) U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.”
In addition those organisations seeking to rely on the Framework will be required to abide by the Privacy Shield Principles, including the need to self-certify with the US Department of Commerce. EU data subjects will be able to resolve any complaints in a number of ways, “including through alternative dispute resolution and binding arbitration.”
There is an acknowledgement that striking a deal is beneficial to both sides citizens, societies and economies – in fact the briefing values the US/EU economic relationship at $7.1 trillion. Some may say money talks! While the privacy activists say this is a political statement and without a legal text raises more questions than it gives answers. We will be following developments closely and posting updates on our data and privacy blog.
“This Framework will reestablish an important legal mechanism for transfers of EU personal data to the United States.”