US and EU Agree to Yet Another Data Protection Agreement
In 1995 the US and EU started working on a cross border data transfer agreement. First came Safe Harbor (2000). In 2015 the EU Court of Justice invalidated this agreement in what is known as the Schrems I decision.
In 2016, the US and EU agreed, in principle to Privacy Shield, a replacement for Safe Harbor. In 2020, the same court struck down Privacy Shield as inadequate in what is known as Schrems II. Likely the reason for this is that Privacy Shield was, for the most part, Safe Harbor with new lipstick.
The Court is arguing that certain national security things that the US does – which most EU countries also do – is “not proportionate to the need”. This includes section 702 of FISA, Executive Order 12333 and Presidential Policy Directive 28 because, JUST LIKE WHAT CURRENTLY IS THE WAY IT WORKS IN EUROPE, European citizens cannot have their day in US court. For whatever reason, the Court of Justice of the European Union (CJEU), which is kind of like our Supreme Court, can’t quite grasp the concept that if you are not going to stop European countries from spying on its citizens, it is unreasonable to stop the US from doing the same thing.
For the last 3 years, US companies have been using two EU constructs to “legalize” EU – US data transfer: Standard Contract Clauses (SCCs) and Binding Corporate Resolutions (BCRs). Recently the EU courts have said those are probably not adequate either.
The US and EU almost came to an agreement earlier this year, but that proposed agreement fell apart before it was even approved.
Now the US and EU are trying again and announced an agreement today.
The European Union and the U.S. announced a landmark data transfer agreement Monday, ending years of negotiations and redefining how digital information can be shared across the continents with a new emphasis on better protecting data privacy.
Under the agreement, the European Commission (EC) will officially acknowledge the U.S. can be trusted to secure the privacy of European citizen data sent transatlantically. In exchange, the U.S. has agreed to stringent new data privacy protections, including by limiting American intelligence services’ data access to what is “necessary and proportionate,” the commission said.
https://therecord.media/eu-us-data-protection-agreement-privacy-rules
This agreement allows EU citizens to get access to data collected by US intelligence agencies and get data which is inaccurate or unlawfully handled deleted.
It is not clear how this might work since the EU citizen will have no way of knowing whether their data was collected in the first place.
The agreement proposes a new court, a Data Protection Review Court or DPRC which will handle these cases. Since Article III of the Constitution does not address the concept of a DPRC, it is unclear how such a court might work.
Section 702 of FISA expires at the end of this year so this could factor into any renewal of the law.
The EU will agree that the US meets the sufficiency requirements for data transfer, which will allow companies to legally transfer data back and forth if the do certain things, instead of what they are likely doing now, which is illegally transferring that data.
Stay tuned; I am sure than Max Schrems will challenge this agreement as well. It is unclear if the EU courts will have had enough of Max at this point.
Credit: Wrangu and The Record
by 