EU-US data agreement may still be far away

More than a year after a groundbreaking court ruling invalidated EU-US data transfer contracts, the flow of commercial data across the Atlantic faces legal challenges. Negotiators on both sides of the pond have come up with new solutions, but this time around, despite the high standards and increasing urgency, anything other than a review of the U.S. Foreign Intelligence Surveillance Act may be sufficient. I doubt it.

The EU and the US are trying to find an agreement on data transfer, but it is difficult to establish a common rationale. (Photo by Nur Photo via Nicholas Economou / Getty Images)

Last July, the Privacy Shield, the mechanism for legal data transfer from the EU to the United States, was withdrawn by the Court of Justice of the European Union (CJEU) because it did not adequately protect European data from processing by US intelligence agencies. rice field. ..

“The heart of the matter here is that this agreement inevitably combines commercial and national security-related protections,” says Caitlin Fennessey, research director at the International Association of Privacy Experts. .. Privacy Shield was the mechanism used by commercial organizations to move data, but “the challenges that have arisen over the years have been: […] All are in the realm of national security. “

The proceedings in the CJEU are based on a 2013 complaint filed by Austrian lawyer and privacy activist Max Schrems, which allows companies to pass data from non-US citizens to intelligence agencies, so European data is in the US. Claimed to be subject to government surveillance. Authorities under the US Foreign Intelligence Surveillance Act (FISA).

Prior to a recent legal challenge, Schrems I broke the EU-US data transfer agreement, Safe Harbor, which preceded the Privacy Shield. For EU and US negotiators, the possibility of a “Schrems III” legal challenge is imminent.

“The reason for the delay in finding the agreement seems to be the fact that the EU does not want to accept another agreement similar to a” band-aid “solution, a privacy shield or safe harbor. CJEU completed in a short period of time because it could not fundamentally guarantee that the data protection rights of EU citizens would be respected, “said Maastricht University’s founding partner, Maastricht University’s privacy, cybersecurity and IT contracts. Says Paolo Balboni, a professor of law.

EU-US Data Contract: What is an alternative to Privacy Shield?

This time, the CJEU has set strict standards for what is considered appropriate protection of European data. One of the most difficult problems to solve is about relief – the CJEU European individuals should be illegally selected by the NSA and new procedures should be implemented to protect them.

The Privacy Shield Agreement introduces a new remedy mechanism in the form of an ombudsperson that allows individuals to challenge government data access issues if they believe that data has been processed in a way that is inconsistent with data protection. rice field. The latest CJEU ruling stated that this bailout mechanism was not sufficiently independent and not fully empowered.

“Authorities say bailouts are the most difficult problem to solve,” said Peter Swire, a professor of privacy at Georgia Institute of Technology and a former U.S. government privacy officer. .. “

Several remedies have emerged for this problem. EU Reportedly Perhaps only non-enforced US agencies, such as the Privacy and Civil Liberty Oversight Commission, which act in collaboration with the Foreign Intelligence Oversight Court, believe that it is sufficient to thwart another CJEU challenge.

Meanwhile, some U.S. privacy groups use regular courts instead of national security courts to file legal objections when non-U.S. citizens believe that data has been illegally processed by the state. We are proposing changes to the legal system so that we can do so. Security agency.

Modifying the Privacy Shield means modifying US surveillance laws. This is probably even more difficult than amending US privacy law.
Professor Anupam Chandler, Georgetown University

“The Biden administration, and ultimately the US Congress, will have to provide more checks and balances in its foreign surveillance system, at least for Europeans,” said Anupam Chander, a professor at Georgetown University. To tell. “Therefore, modifying the privacy shield means modifying US surveillance law, which is probably even more difficult than modifying US privacy law.”

Fine-tuning US surveillance legislation, especially at the request of foreign countries, is considered a politically tricky proposal. One solution to a potential impasse is for US President Joe Biden to enact an executive order instead of changing the law. “The president has a wide range of powers to require federal agencies to build and implement new systems,” says Swire. “For example, he can order intelligence agencies to follow the decisions of new referees in need of relief.”

This can provide a simpler path to a solution. “I think so [US officials] Recognizing that Congress’s actions are not the only way forward, but perhaps a more challenging way forward, government officials are also considering it, “says Fennessey.

Can the United States meet EU requirements?

But whether the CJEU will be met by executive order is another matter.

EU Commissioner Didier Reynders and Vice President of the European Values ​​and Transparency Commission, Bella Jouroba, said, “A significant change in the way the United States handles data for EU citizens is a prerequisite for the new agreement. “. “More specifically, this means that the United States specifically and legally restricts access to EU citizens’ data by US state security agencies (via actual law), and EU citizens do so. It means that we need to be able to challenge. “

I don’t know how executive order will replace data contracts.
Professor W. Gregory Voss, Toulouse Business School

“I don’t know how executive orders will replace data contracts,” says W. Gregory Voss, associate professor of business law at Toulouse Business School. “Imagine an executive order to establish a framework for how U.S. companies process EU personal data and enable those Europeans to more effectively protect the privacy of their data than U.S. citizens. I can not do it.”

Existing data transfer methods can be compromised

Negotiations are even more urgent, as the EU-US data transfer methods used by US companies also appear to be at stake, whatever the end result. Standard contract clauses (SCCs) are a fallback method for US companies, but some recent developments in the EU have undermined their legitimacy.

Facebook is currently involved in a legal battle with Ireland over alleged privacy breaches related to cross-Atlantic data transfer. In May of this year, the Irish High Court ruled against social networking giants in a dispute. This decision did not yet prevent Facebook from sending data to the United States, The court approved the Data Protection Commission’s view that data cannot be transferred to the United States using SCC in light of the CJEU’s July ruling...

According to a recommendation from the European Data Protection Commission released in July, some data transfers to third countries cannot be legally carried out despite the existence of legal mechanisms such as SCC. Instead, companies need to assess the feasibility of each data transfer on a case-by-case basis.

“At this time, without agreement, businesses and privacy professionals around the world are in a position to evaluate and create protections that affect government surveillance. This is the majority of businesses. It’s just an unacceptable position for us, those who are moving data for very routine commercial tasks, “says Fennessy.

“We know that companies may stop data flow, localize data, or stop providing related services because of the challenges privacy professionals are trying to comply with. I am. ”

Some companies may apply “special measures” to protect their data from US intelligence, but social media and other data processing companies are subject to section 702 of the US FISA Act. .. In other words, this is the only thing they can do. Origin.

“The real problem arises with companies such as Facebook, cloud providers, and email providers that are subject to US mass surveillance laws and regulations,” Voss says. Zoom and Cloudflare are two companies that are already involved in the crosshairs.

If no new data contracts are in place, certain US companies may be forced to store their data in the EU. This is a technique called data localization. “If we don’t change the mass surveillance laws in the United States, certain companies subject to these laws may be ordered to stop importing personal data into the United States, which could cause flow disruptions,” Voss said. Mr. says.

Senior reporter

Raleigh is a senior reporter at TechMonitor. EU-US data agreement may still be far away

Back to top button