14th In December 2022, the European Commission will Draft Adequacy Decision, has approved a new legal framework for the transfer of personal data from the EU to the US under Article 47 of the GDPR. Subject to approval by other EU bodies, the decision paves the way for the “Privacy Shield 2.0” to become effective by spring 2023.
Background
In July 2020, the European Court of Justice (ECJ) ruled in “Schrems II” that organizations transferring personal data to the United States can no longer be trusted. Privacy Shield Framework It was used as a lawful transfer tool because it failed to protect EU data subject rights when data was accessed by US public authorities. In particular, the ECJ believes that the US surveillance program should not be limited to being strictly necessary and balanced as required by EU law, but should comply with the requirements of Article 52 of the EU Charter on Fundamental Rights. I have found that I am not satisfied. Second, with respect to US surveillance, EU data subjects lack viable judicial remedies and therefore have no right to effective remedies in the US, as required by Article 47 of the EU Charter. there is not.
The ECJ said organizations transferring personal data to the United States can continue to use GDPR Article 49 exceptions or Standard Contractual Clauses (SCCs). When using the latter, for transfers to the United States or other countries, the ECJ makes the data exporter responsible for conducting and conducting a complex assessment (Transfer Impact Assessment or TIA) regarding the data protection laws of the receiving country. bottom. “Additional measures” to what is included in the SCC.
Despite the Schrems II ruling, many organizations continue to transfer personal data to the United States in hopes of waiting for new transatlantic data transactions before regulators enforce the ruling. While the UK’s Information Commissioner’s Office (ICO) appears to be adopting a ‘wait and see’ approach, other regulators are now taking action. In February 2022, France’s data protection regulator, the CNIL, ruled that his use of Google Analytics violated the GDPR because the data was transferred to the United States without adequate safeguards. This is similar to the decision by the Austrian Data Protection Authority in January.
Road to Validity
Since the Schrems ruling, the Privacy Shield replacement has been a priority for EU and US officials. In March 2022, it was announced that a new Transatlantic Data Privacy Framework was agreed in principle. In October, the President of the United States presidential decree implemented US commitments in the framework. These include restricting US authorities’ access to data exported from the EU to that which is necessary and appropriate under surveillance law; Establishing a Data Protection Review Court to give data subjects the right to remedy and to determine the outcome of complaints.
Schrems III?
Privacy campaign group noibu Max Schrems will serve as honorary chairman.
“…changes to U.S. law appear fairly minimal. Some proposed amendments, such as the introduction of the proportionality principle and the establishment of courts, seem promising, but upon closer inspection, they are not as relevant when it comes to protecting individuals outside the U.S. , it becomes clear that the Presidential Decree is overstated and understated.It is clear that the EU’s “adequacy decision” under Presidential Decree 14086 will likely not meet the CJEU. This means her third deal between the US government and the European Commission could fall through.” Max Schrems said: “… Since the Draft Decision is based on a known Executive Order, I do not know how this will stand up to challenge in the Court of Justice. The European Commission seems to have issued similar decisions over and over again in gross violation of our fundamental rights. ”
The draft adequacy decision will be reviewed by the European Data Protection Board (EDPB) and European Member States. From the above statement, it seems inevitable that there will be legal challenges to Privacy Shield 2.0 once it is completed.
Data Transfer from UK to US
The transfer of personal data is also a key issue for most UK data controllers, including public authorities. Whether you use an online meeting app, a cloud storage solution, or a simple text messaging service, you often transfer personal data to the United States. Currently, the use of such services typically involves the execution of complex TRAs and standard contractual terms. The new UK International Data Transfer Agreement (IDTA) entered into force on the 21st March 2022, but still requires a TRA and follow-up measures if privacy risks are identified.
Good news may be on the horizon for UK data exporters. The UK government is also making decisions on US adequacy. A similar agreement is likely to emerge once the EU/US agreement is finalized.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – info@delta-data-compliance.com
