In the third attempt, the agreement on fundamental rights-compliant exchange of personal data between the EU and the USA should succeed. In any case, the EU Commission is confident: “On the basis of the new framework, data will be able to flow freely and securely between the EU and the US companies involved.”
Privacy and civil rights must be protected
Both sides locked in one Friday afternoon joint statement: A planned and improved approach goes hand in hand with an “unprecedented commitment” by the United States to implement reforms that enhance privacy protections and civil rights in radio communications and intelligence surveillance. Previously, European Union Commission President Ursula von der Leyen (CDU) and US President Joe Biden had only publicly announced that they had reached a basic agreement in a dispute that had been brewing for years.
The new version of the previous Privacy Shield, which the European Court of Justice (ECJ) overturned after a suit brought by Austrian data protection activist Max Schrems in the summer of 2020, has been dubbed the Transatlantic Data Protection Framework by negotiating partners. It must be noisy Fact Sheet (PDF file) Among other things, the commission contained a “new set of binding rules and safeguards” to restrict US secret services such as the National Security Agency’s access to the personal data of EU citizens “as necessary and proportionate to protect national security.”
“Effective controls” and special courts
According to the agreement, US security authorities will introduce “measures that ensure effective oversight of new data protection standards and civil rights.” There will also be a “new, two-tier appeal system to investigate and resolve complaints from Europeans about US intelligence agencies’ access to data”. This will include a special court to examine such requests.
The Commission also talks about “the stringent requirements for companies that process data sent from the European Union”. These also included a requirement to self-certify that it had followed relevant US Department of Commerce policies. Furthermore, “specific monitoring and verification mechanisms” were agreed upon. In general, “data sent to the United States will be protected by Europeans, taking into account” the Shrims II ruling of the European Court of Justice.
Shrims: affirmations only, not actionable
In the landmark decision, Luxembourg judges once again decided that US laws, such as the Foreign Intelligence Surveillance Act (FISA) or the Cloud Act, enable mass surveillance by security authorities and therefore the US data protection standard does not match that in the European Union. In 2015, Shrems had already dropped the previous safe harbor agreement before the European Court of Justice. Without fundamental US reforms, a third attempt is unlikely to be enough to ensure adequate data protection for EU citizens.
At the same time, the Commission and the US government emphasized that Washington’s commitments should only be included in an executive order. Data protection organization Noyb, founded by Schrems, had previously criticized the fact that the US was not planning “any changes to its surveillance laws, only assurances from the executive branch”. These will have “no external influence and cannot be sued”. A real solution such as a “no-espionage agreement” with “fundamental guarantees among like-minded democracies” is still pending.
Basic agreement of politics
The official announcement, on the other hand, is that the Transatlantic Data Protection Framework will create a “permanent basis” for the movement of data across the pond. This is critical for transatlantic trade in all sectors of the economy, including small and medium-sized businesses. The agreement in principle is the result of more than a year of intense negotiations led by US Commerce Secretary Gina Raimondo and Justice Commissioner Didier Reynders.
The Green Party deputy head of the Bundestag, Konstantin von Knots, welcomed the Declaration of Principles after the Commission and the previous federal government did not do justice to the protection of basic rights for people in Europe and the legal certainty necessary for the economy. for years. The government institution in Brussels must now live up to its responsibility and ensure that the new agreement offers real added value, for example to informational self-determination for users, and dispenses with “absolutely new auxiliary structures”.
Businesses need legal certainty
Rebekka Weiß of the Bitkom Digital Association explained that the political agreement is “just the urgently needed first step”: “Now is the time to translate this political will into flexible legal regulation.” Companies need “quick legal certainty so that the current data blocking can be resolved once and for all”. Small businesses in particular “rely on storing data in the cloud, using software from US providers and communicating in social networks and using video conferencing systems from international providers.”
The government teams and the US commission say they will continue to work together to “translate the agreement into legal documents”. These must be “acceptable by both sides”. Relevant US government regulations will form the basis for “the Commission’s evaluation in its appropriate decision in the future.”