Agreement in principle on transatlantic data transfers faces rigorous legal scrutiny – TechCrunch

The political agreement reached at the end of last month between the European Union and the United States administration on a new transatlantic data transfer pact which aims to end years of legal uncertainty for companies exporting data from the block is not concluded yet. The tentative agreement faces scrutiny in the coming months once the full text is published – and will most likely face new (and quick) legal challenges if it passes, so it all depends on the details.

Yesterday the European Data Protection Board (EDPB), which advises on compliance with EU data protection law, issued a statement setting out where it will direct its attention when looking at this detail – saying that he will pay “particular attention to how this policy agreement translates into concrete legal proposals”.

“The EDPS looks forward to carefully assessing the improvements that the new framework could bring in the light of EU law, CJEU case law and the Committee’s previous recommendations, once the European Committee has received all supporting documents from the European Commission,” the committee wrote.

“In particular, the EDPS will analyze whether the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate. In addition, the EDPS will examine how the announced independent redress mechanism respects the right of EEA individuals to an effective remedy and to a fair trial. More specifically, the EDPS will examine whether any new authority forming part of this mechanism has access to relevant information, including personal data, in the exercise of its mission and whether it can adopt decisions binding on the intelligence services. The EDPS will also examine whether there is a judicial remedy against the decisions or inaction of this authority.

The EDPB also warned that the political agreement is not yet a legal agreement – ​​stressing that data exporters must continue to comply with the case law of the bloc’s highest court in the meantime; and in particular with the July 2020 judgment of the CJEU, aka Schrems II, which annulled the last EU-US data transfer agreement (aka, the EU-US Privacy Shield).

Speaking about the political agreement reached last month to replace the defunct Privacy Shield, the Biden administration said the United States had committed to put in place “new safeguards” that it said would ensure that activities State surveillance agencies’ data collection will be “necessary and proportionate” and linked to “defined national security objectives”.

The conflict between the primacy of US surveillance laws and the EU’s strong privacy rights remains the fundamental schism – so it’s hard to see how any new deal will be able to withstand further legal challenges unless it does. commits to imposing strict limits on US mass surveillance programs.

The Replacement Agreement will also need to create an appropriate means for EU citizens to seek and obtain redress if they believe US intelligence agencies have unlawfully targeted them. And that also looks difficult.

Last month, before the political deal was announced, The Hill reported on a U.S. Supreme Court ruling in a case related to FBI surveillance that it said made it more difficult to of an agreement – ​​as the court strengthened state secrets privilege for espionage cases by finding that Congress did not eliminate this privilege when it enacted surveillance reforms in the Foreign Intelligence Surveillance Act (FISA).

“While the opinion leaves open the possibility that people like the Fazaga plaintiffs could nonetheless pursue claims based on public information about government surveillance, most people need sensitive government information to help prove that his surveillance was illegal. The ruling could make it easier for the government to protect such information from judges, and therefore more difficult for most people challenging the surveillance to prove their claims and seek justice in court,” the publication reported.

The need for deeper FISA reforms has been a key call from critics of previous EU-US data transfer agreements (before Privacy Shield there was Safe Harbor – which was annulled by the CJEU in 2015).

Last month, the White House said the agreement reached in principle would allow EU citizens to “seek redress from a new tiered redress mechanism that includes an independent Data Protection Review Tribunal composed of persons selected from outside the U.S. government who would have full jurisdiction to adjudicate claims and order necessary corrective action.

However, the legal status of this “court of review” will be essential, as the EDPB statement points out.

Moreover, if the US Supreme Court takes a different view that essentially nullifies any deal promised by the Biden administration by making it impossible for EU citizens to get the information they need to be able to sue action against the US government that would compromise the ability of EU citizens to Actually seek redress… And, well, the CJEU has made it clear that EU individuals subject to unlawful surveillance in a third country must have a genuine and meaningful way to pursue their liability.

The EDPB statement elucidates exactly those concerns – with the Board noting that any “new authority” created in the context of a reparations claim will need “access to relevant information, including personal data” in order to live up to this mission; and will also have to be able to adopt binding decisions for the intelligence services.

It should be recalled that the Privacy Shield “ombudsman” regime which was tested under the Privacy Shield was not retained by the CJEU – both for reasons of independence and because of the impossibility for the mediator to adopt binding decisions for the intelligence services.

It remains to be seen how different a “data protection review court” would be in this regard.

Max Schrems, the EU privacy campaigner who successfully derailed the last two data transfer agreements between the EU and the US, remains skeptical that the latest ‘fix’ “offers something substantially different – recently tweeting another eye-catching visual metaphor to illustrate his first assessment…

Absent real surveillance reform in the United States, squaring the circle of data transfers may well be as difficult a challenge as it has proven the last two times around the bloc. But even if the political imperative within the EU to get a deal outweighs obvious legal loopholes – as was the case when the last Commission ignored concerns and passed the Privacy Shield – it will mean simply that both sides buy time until the next CJEU strikes.

Probably not a lot of time either.

While Safe Harbor lasted 15 years, Privacy Shield only lasted four years – and Schrems suggested a new challenge to another flawed replacement would be expedited by the CJEU “within months” of the court’s final decision. ‘adopt. European lawmakers have therefore been warned.

Leave a Comment