Transatlantic data transfers ‘deal in principle’ faces tough legal review – TechCrunch

The political agreement reached late last month between the European Union and the US administration on a new transatlantic data transfer pact that aims to end years of legal uncertainty for companies exporting data from the bloc it’s not closed yet. The deal in principle faces scrutiny in the coming months once the full text is published, and will most likely face fresh (and quick) legal challenges if adopted, so it all depends on the details.

Yesterday, the European Data Protection Board (EDPB), which advises on compliance with EU data protection law, issued a statement outlining where it will turn its attention when reviewing this detail, saying it will pay “particular attention to how this policy agreement translates into concrete legal proposals.”

“The EDPB looks forward to carefully assessing the improvements that the new framework can bring in the light of EU legislation, CJEU case law and the Board’s previous recommendations, once the EDPB receives all supporting documents from the Commission. Union,” the Board wrote.

“In particular, the EDPB will analyze whether the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate. In addition, the EDPB will examine how the announced independent redress mechanism respects the right of EEA individuals to an effective remedy and fair trial. More specifically, the EDPB will study whether any new authority that is part of this mechanism has access to relevant information, including personal data, in the exercise of its mission and whether it can adopt binding decisions for the intelligence services. The EDPB will also consider whether there is a judicial remedy against the decisions or inaction of this authority.”

The EDPB also warned that the political agreement is not yet a legal agreement, emphasizing that data exporters must continue to comply with the case law of the bloc’s top court in the meantime; and especially with the July 2020 ruling of the CJEU, also known as Schrems II, which annulled the last data transfer agreement between the EU and the US (also known as the EU-US Privacy Shield). . USA).

Speaking about the political agreement reached last month to replace the defunct Privacy Shield, the Biden administration said the United States has committed to implementing “new safeguards” that it said would ensure that the data collection activities of agencies surveillance states are “necessary and proportionate” and linked to “defined national security objectives”.

The clash between the primacy of US surveillance laws and strong EU privacy rights remains the fundamental schism, so it is hard to see how a new deal will be able to withstand new legal challenges unless it compromises. to put strict limits on US mass surveillance programs.

The replacement agreement should also create an adequate avenue for people in the EU to seek and obtain redress if they believe they have been unlawfully targeted by US intelligence agencies. And that also seems difficult.

Last month, prior to the announcement of the political settlement, The Hill reported on a US Supreme Court ruling in a case involving FBI surveillance that it suggested made a settlement difficult as the court strengthened the state secrets privilege for espionage cases by finding that Congress failed to eliminate this privilege when it enacted surveillance reforms in the Foreign Intelligence Surveillance Act (FISA).

“Although the opinion left open the possibility that people like the Fazaga plaintiffs could make claims based on public information about government surveillance, most people need sensitive government information to help prove their surveillance was illegal. . The decision could make it easier for the government to protect such information from judges, and thus make it harder for most people who challenge surveillance to prove their claims and get justice in court,” the publication reported.

The need for deeper FISA reforms has been a key call from critics of previous EU-US data transfer agreements (before Privacy Shield there was Safe Harbor, which was struck down by the CJEU in 2015 ).

Last month, the White House said the deal agreed in principle would allow people in the EU “to seek redress through a new multi-tier redress mechanism that includes an independent Data Protection Review Tribunal that would be made up of chosen persons outside of the US government authority to adjudicate claims and direct corrective action as necessary.”

However, the legal status of this “Court of Review” will be key, as the EDPB statement underlines.

Furthermore, if the US Supreme Court takes a different view that essentially nullifies any deal the Biden administration promises by making it impossible for people in the EU to get the information they need to be able to file a lawsuit against the government from the US that would undermine the ability of EU citizens to Really get redress… And, well, the CJEU has made it very clear that EU individuals subject to unlawful surveillance in a third country must have a genuine and meaningful way of seeking accountability.

The EDPB statement clarifies exactly these concerns: the Board notes that any “new authority” established under a redress claim will need “access to relevant information, including personal data” in order to fulfill that mission; and it should also be able to make binding decisions for the intelligence services.

It is worth remembering that the Privacy Shield “ombudsman” regime that was tested in Privacy Shield did not pass the test with the CJEU, both for independence reasons. Y by the inability of the ombudsman to make binding decisions for the intelligence services.

It remains to be seen how different a “Data Protection Review Tribunal” would be in those respects.

Max Schrems, the EU privacy campaigner who successfully brought down the last two data transfer agreements between the EU and the US, is skeptical that the latest “solution” offers anything substantially different: he recently tweeted another striking visual metaphor to illustrate your initial assessment…

If no genuine surveillance reform takes place in the US, squaring the circle of data transfers may very well be as challenging as it has been in the last two times around the block. But even if the political imperative within the EU to reach an agreement overrides the obvious loopholes, as happened when the last Commission ignored concerns and adopted the Privacy Shield, that will only mean that the two sides are buying time until the CJEU strikes it down.

Probably not for long.

While Safe Harbor stood for 15 years, Privacy Shield only lasted four, and Schrems has suggested that a new challenge to yet another flawed replacement would be rushed to the CJEU “within months” of a final decision to adopt it. So EU lawmakers have been warned.

Leave a Comment