Exchange of data, peace breaks out between Europe and the United States but it could be short-lived

Listen to the audio version of the article

There is peace between Europe and the United States – after a three-year wait – on the exchange of data. Big techs breathe a sigh of relief; just think that due to the uncertainty on this front, Meta had threatened to leave Europe. Ditto companies and public administrations that use their services and that were beginning to suffer the attention of the Privacy Guarantor, precisely due to the absence of a US-Europe agreement. But it could be a short-lived respite. There has been a lot of criticism, even within Europe, of this pact which has political and economic value (“data economy” together). Precisely the one adopted on 10 July 2023 by the European Commission is a new adequacy decision on the EU-US regulatory framework on data privacy. The adoption of this adequacy decision follows years of intense negotiations between the EU and the US, following the invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union (“CJEU”) in the Schrems II case.

What does the agreement say?

According to the European Commission’s press release, the decision establishes that the United States guarantees an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new regulatory framework. All this despite the anti-terrorism surveillance apparatus that the US has put in place over the last twenty years, which led to the rejection of the previous agreement (Privacy Shield). The long overdue adequacy decision provides companies Members of the EU who transfer personal data to the US an additional mechanism to legitimize their transatlantic data transfers. And therefore avoid problems with privacy regulations. The adequacy decision allows self-certified companies that join the EU-US Data Privacy Framework and commit to a variety of privacy obligations to receive EU personal data without having to put in place additional transfer safeguards. According to the European Commission, the EU-US Data Privacy Framework addresses all the concerns raised by the CJEU, including regarding access to EU data by US intelligence services. European citizens are also offered better redress mechanisms if their personal data is processed in a way that does not comply with the EU-US Data Privacy Framework, including through the recently established Data Protection Review Tribunal.

What changes

Companies currently self-certified under the EU-US Privacy Shield framework will have access to a streamlined process for self-certifying under the EU-US Data Privacy Framework. But criticisms have already appeared in recent months, as soon as the current text of the adequacy decision (still to be approved at the time) emerged. In February, the European Data Protection Board, which brings together all EU data protection authorities, highlighted several areas for improvement, in particular as regards the rights of data subjects, onward data transfers and the collection of temporary mass data. European privacy regulators have also noted that the practical functioning of the redress mechanism and the interpretation of the principles of necessity and proportionality need to be closely monitored. In particular, the concept of “proportionate” access to data may not be in line with the EU Charter of Fundamental Rights, as US jurisprudence will define the term. Criticisms, in May, also from the European Parliament. The appeal mechanism is another controversial aspect. In addition to the Civil Liberties Officer, it includes a Data Protection Review Tribunal, which however is not fully independent as it belongs to the US executive branch. Max Schrems stated that he has a new appeal to the CJEU ready, because this latest adequacy decision is essentially the same as the previous ones. He’s made two so far on these deals and won both.

What will happen

“We expect the new system to be used by the first companies in the coming months, which will pave the way for an appeal by someone whose data is transferred under the new tool. It is not unlikely that a dispute could reach the CJEU by the end of 2023 or the beginning of 2024. The CJEU would have the possibility to suspend the “framework” for the period of the procedure. A final decision by the CJEU would be likely by 2024 or 2025. Regardless of the success of such an appeal, this will bring clarity to the ‘Transatlantic Data Privacy Framework’ within about two years,’ he said. “Over the past 23 years, all agreements between the European Union and the United States have been declared invalid retroactively, making all past data transfers by companies illegal – now it seems that we add another two years of this ping-pong,” he said. added.Schrems, with his Nyob association, denounces that the EU prefers to protect relations with the USA in this way to the detriment of privacy. “All of this inevitably raises serious doubts about the consistency and long duration of an agreement that was rushed by the Commission and which could therefore be challenged and invalidated again by the Court of Justice, for the third time”, explains l privacy lawyer Anna Cataleta. “The new agreement po Exchange of data, peace breaks out between Europe and the United States but it could not last long: this is why it could therefore be short-lived”, she adds.