.svg)
Details about the new EU-US data transfer mechanism raise more questions about the stability of the adequacy agreement, Schrems has said in an open letter to the EU’s data protection institutions.
“We are fully aware that this is everything but an easy task, but the investment in getting it right would not only ensure that this matter is solved in the long run, but also benefits citizens and the economy on both sides,” an open letter written by Schrems’ campaign group, My Privacy Is None Of Your Business (NOYB), says.
In March, the United States and the EU announced they had agreed in principle on a new Trans-Atlantic Data Privacy Framework that will allow businesses to share data freely between the two economies.
The new framework aims to address concerns brought forward by the Court of Justice of the European Union (CJEU) in July 2020, in the Schrems II case.
This concerned US surveillance laws that meant that US intelligence agencies could target non-US persons, without giving EU citizens actionable rights to challenge this exercise in court.
Policymakers have been in talks since then, trying to negotiate a new agreement that brings US data protection rules up to par with the EU's General Data Protection Regulation (GDPR).
However, experts have already expressed their concerns to VIXIO that the compromise will not be workable in the long run, and NOYB appears to have come to the same conclusion.
“We understand that the envisioned deal will largely rely on US executive orders. Having worked on this matter with US surveillance experts and lawyers, such executive orders seem to be structurally insufficient to meet the requirements of the CJEU,” the letter says, warning legislators that the announced framework risks sharing the same fate as its two predecessors in front of the CJEU unless substantive legislative reforms are conducted in the US.
Negotiators need to continue working for a long-standing, privacy-preserving solution for trans-Atlantic flows to avoid a “Schrems III” decision, the letter warns.
“The current approach may cause further legal uncertainty for citizens and businesses for years to come — a fear that was also voiced by industry representatives in reaction to the agreement in principle.”
Among the recommendations that the pressure group has made is a call for the negotiators to apply a “correct” proportionality test on US surveillance law under the EU’s Charter of Fundamental Rights (CFR).
NOYB has also called for the agreement to include judicial redress rights for the EU, stating that it understands the US does not intend to do this at the moment.
Instead, the US executive is set to form a new body within the executive branch to deal with potential violations of US law and executive orders.
This would be called the Data Protection Review Court and will — contrary to the name — not be a court but an executive body. It will be part of the executive branch, with limited independence, which NOYB says violates CJEU case law.
“Just naming an executive body a 'court' does not create judicial redress. The approach seems to be better described as an 'Ombudsperson Plus',” the letter points out.
The campaign group has also called on EU negotiators to update commercial privacy protections.
In particular, it is concerned that the EU and US negotiators do not seem to plan any updates to the Privacy Shield Principles, which businesses currently use when making data transfers.
“We understand that the Privacy Shield Principles and certifications would not be touched or even renamed. This is hugely problematic, as the principles are largely based on the 'Safe Harbor' principles from 2000, with only minor updates in 2016,” the letter says.
The principles, NOYB argued, are not in line with the GDPR requirements, which became applicable in 2018.
In fact, the Privacy Shield Principles even refer to the no longer applicable Directive 95/46/EC, which predates the GDPR.
“We are sorry to see that the negotiators have not used this opportunity to ensure that the human rights to privacy and data protection are protected on both sides of the Atlantic and independent of geographic location or citizenship,” the letter concludes.
“We are deeply convinced that a global internet and the free flow of personal data is only possible if protections are not based on historic and nationalistic concepts, such as citizenship.”
NOYB has said that it is prepared to challenge any final adequacy decision that would fail to provide the needed legal certainty.
In case litigation is necessary, the group aims to focus on finding a quick and efficient path to the CJEU to reach a rapid decision. “We hope that this will ensure a shorter period of legal uncertainty in the case of any ill-conceived political agreement.”
Such a challenge, NOYB says, may include a request for the CJEU to suspend the application of any third version of a US adequacy decision.
“In the absence of these legislative changes, we are concerned that any future agreement would be (again) based on political hopes instead of legal realities,” the letter says, adding that it is especially concerned that the European Commission may knowingly adopt another unlawful adequacy decision with the aim of undermining the CJEU’s judgments.
NOYB continues: “This may not only lead to an endless ping-pong between Brussels and Luxembourg but also threatens the trust in the rule of law and the CFR on the European level.”
