The return of the Privacy Shield: The Jedi!

Towards more privacy-friendly US surveillance: a nonsense?

The purpose of the Order is to put in place additional safeguards by the United States to allow the implementation of the new "Data Protection Framework" between the US and the EU. This Data Protection Framework will provide a new legal basis for EU-US transfers, following the Schrems II Judgment of 16 July 2020.

Indeed, transatlantic transfers of personal data had been called into question by the invalidation of the Privacy Shield, leaving data protection professionals uncertain as to the appropriate actions to take.

The lawfulness of the activities of American companies on the European continent has even been discussed, especially with the decision of the CNIL (French authority) on 10 February this year, which deemed the use of Google Analytics as unlawful.

The measures outlined in the decree initially concern US surveillance practices, which will be adapted to be more privacy-friendly:

  • Surveillance activities should only be conducted for necessary and defined national security purposes, in a manner proportionate to the achievement of those purposes, while taking into account the privacy and fundamental rights of individuals;

  • Strengthening the scope of action of legal, compliance and oversight officials to take the necessary steps to remedy incidents of non-compliance;

  • Requiring US intelligence stakeholders to update their procedures and policies to incorporate the new measures contained in the Order.

Secondly, the Order announces the creation of a mechanism allowing individuals to seek redress in cases of personal data being processed by US intelligence in violation of applicable law and/or in violation of the Order.

Complaints received in this way would first be examined by the Commissioner for Civil Liberties, and then reviewed by the Data Protection Review Court (DPRC), the creation of which is also announced in the decree.

So, does everyone believe it? Not sure...

The question then arises of whether these measures are valid in the face of the rulings of the Court of Justice of the European Union. The NGO NOYB, led by Max Schrems, which was at the origin of the invalidation of the Privacy Shield, but also of its ancestor the Safe Harbour, has already raised objections to the measures taken by the American government. According to the association, the decree is "unlikely to comply with European law". The association contests the proportionality mentioned with regard to US surveillance: the American and European interpretation differs on this issue. 

The position of the new US data protection authority, the DPRC, is also questioned. The DPRC is seen as a mere "improved version of the 'ombudsman' system, which has already been rejected by the CJEU" and does not meet the EU Charter's requirements of the right to an effective remedy and access to an impartial tribunal.

The announced measures are aimed at obtaining an adequacy decision from the European Commission. The latter, assuming that the process is not slowed down by challenges from various organisations such as the EDPS or the European Competent Authorities, is not expected to be made official for several months.

In conclusion, the measures taken by the United States do not seem to meet the requirements of Article 45 of the GDPR to secure the coveted adequacy decision. The Executive Order leaves the impression of rushed decisions taken to fill the privacy gap in the US. 

So, will the European Commission consider this text sufficient? If so, for how long could this mechanism live up to the atmosphere of digital sovereignty so desired by the European Union? Will this new text live up to the demands of privacy advocates ?

Oh my god, too many questions!

Published on:
27 Oct 2022
Reading Time:
Privacy Shield
Feature articles

The European Health Data Space: What room for citizens' rights and freedoms in the draft Regulation?

clock 5min

Valorization of data in European health Data Space: what is planned in the draft Regulation?

clock 3min

Advertising purposes and non-compliance of consent or how Apple is fined by the CNIL

clock 5min

The one who is a physician and want to appoint a DPO

clock 3 min

Patient experience & informed consent (the real opt-in!)

clock 3 min

Whoever wants "Isalid", a solution that can not lie

clock 3 min

The one who wants to re-use the data and inform its patients

clock 4 min

Consent by blockchain: how does it work?

clock 3 min

The one who wanted to escape the GDPR thanks to anonymization

clock 4 min