GDPR

Adatvédelem mindenkinek / Data protection for everyone

Data transfers to the USA: is the new Privacy Shield coming?

2022. október 11. 11:00 - poklaszlo

The European Commission and the United States announced in a joint statement earlier this year that an agreement  on the principles of a new Trans-Atlantic Data Privacy Framework had been reached. After this announcement, everyone has been waiting for the publication of the Executive Order to be issued by the President of the US, on the basis of which the necessary adequacy review could be commenced by the European Commission. After several months of waiting, President Joe Biden signed the Executive Order on October 7, which, in response to the most important concerns regarding data transfers to the US, puts some limits on United States signals intelligence activities and provides additional data protection safeguards.

1. What does the Executive Order contain?

In particular, the Executive Order, 

  • adds further safeguards for U.S. signals intelligence activities,
  • mandates handling requirements for personal information collected through signals intelligence activities and extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance.   
  • requires U.S. Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the E.O. 
  • creates a multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated pursuant to the E.O., to obtain independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O. 

(For further details, please see the summary released by the White House or the Executive Order itself.)

Of course, the devil is in the details, so the the detailed review of the Executive Order will show whether the new provisions may meet the data protection requirements of the EU.

2. What are the next steps in the EU?

Based on the Executive Order, the mechanism for adopting a new adequacy decision may be started by the Commission. This process is expected to take several months (of course, it is also a question whether the Commission finds the safeguards provided in the Executive Order sufficient for the adoption of an adequacy decision, although this is obviously the goal, since the joint statement on the new Trans-Atlantic Data Privacy Framework also pointed into this direction).

According to the Preamble of the GDPR, the Commission shall act - in particular - on the basis of the following aspects in the process of assessing the adequacy of a third country:

In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision with regard to a territory or a specified sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country. The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal data are processed in one or several specific sectors. In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States' data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.

Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations. [Preamble, (104-105)]

The Commission shall also request the opinion of the European Data Protection Board in the course of the adequacy review. According to the GDPR, the Board "provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international organisation." (see Article 70 (1) s) of the GDPR)

3. What are the first reactions?

The new attempt to facilitate data transfers from the EU to the USA is scrutinised carefully by many organisations. For example, noyb, established by Max Schrems, who launched the proceedings (Schrems I and Schrems II) that resulted in the invalidation of the previous adequacy decisions concerning the US, has already expressed doubts about the content of the Executive Order. It is safe to say that - even if the adequacy decision will be issued - the topic will end up again in front of the European Court of Justice (it is possible that Schrems III will arrive within a few years).

4. What should data controllers and data processors do?

The Executive Order does not have a direct impact on data transfers currently carried out or planned by data controllers or data processors, and there is no any material action to be taken in this regard for the time being. For data transfers, the tools available in the GDPR - in the absence of an adequacy decision - can be applied (of course, with due diligence, carrying out a data transfer impact assessment, applying appropriate safeguards, etc.). If the adequacy decision is issued (which may take several months), then there will be an opportunity for data controllers and data processors to review the used data transfer mechanisms.

Szólj hozzá!
Címkék: USA EU EN GDPR adequacy decision transfers of personal data European Data Protection Board European Commission Schrems

Ajánlott bejegyzések:

A bejegyzés trackback címe:

https://gdpr.blog.hu/api/trackback/id/tr5717950830

Kommentek:

A hozzászólások a vonatkozó jogszabályok  értelmében felhasználói tartalomnak minősülnek, értük a szolgáltatás technikai  üzemeltetője semmilyen felelősséget nem vállal, azokat nem ellenőrzi. Kifogás esetén forduljon a blog szerkesztőjéhez. Részletek a  Felhasználási feltételekben és az adatvédelmi tájékoztatóban.

Nincsenek hozzászólások.
süti beállítások módosítása