For more than two years, the transmission of data from Europeans to the USA has been on shaky ground. The White House is now taking steps towards a new solution.
The US government is laying the groundwork for a much-needed new legal framework for transferring data from Europeans to the US. President Joe Biden’s decree on Friday includes stricter requirements for secret services to access information. A central element is also a two-stage mechanism for EU citizens to complain about what they consider to be illegal access.
US Secretary of Commerce Gina Raimondo said the measures remove the reasons for the European Court of Justice’s decision to overturn the previous Privacy Shield legal framework. In July 2020, the ECJ came to the conclusion that the level of data protection in the USA does not correspond to the standards of the EU. Above all, the judges criticized the far-reaching access possibilities of US secret services to data of Europeans.
hope for legal certainty
She will send several letters from the responsible US authorities to EU Justice Commissioner Didier Reynders, in which the new measures are described in detail, said Raimondo. Senior White House officials said they were confident the steps were enough to achieve a lasting solution. The EU Commission is also hoping to be able to create legal certainty.
Based on Biden’s decree, the procedure for a so-called adequacy decision can begin at EU level, which would certify equivalent data protection standards between the EU and the USA. This procedure can take about six months. The European Data Protection Board as well as the EU states and the European Parliament must also be involved. The Biden decree is “an important step, but not the end of the process,” emphasized EU officials.
A basic agreement on a new legal framework between the EU and the USA had already been announced in March. Now the concrete steps follow. EU officials stressed that they had been involved in drafting the US measures.
Noyb remains critical
For companies, the ECJ ruling created great legal uncertainty when transferring data between the USA and the EU. The Facebook group Meta always warns that the online network and Instagram will probably have to be discontinued in Europe if there is no successor plan.
The “Privacy Shield” came about in 2016 after the previous “Safe Harbor” regulation had been overturned by the ECJ. In both cases, the Austrian lawyer and data protection activist Max Schrems complained. His data protection organization Noyb emphasizes, among other things, that a presidential decree is not a law.
Two-tier grievance mechanism
Under the two-tier mechanism, complaints will first be reviewed by the person responsible for protecting civil rights in the US Directorate of Intelligence’s office. In the next step, his decisions should be able to be reviewed by a special court. The judges with experience in questions of data protection and national security should not come from the US government and should be able to evaluate the cases independently. Access to data from Europeans should generally only be possible “to pursue defined national security goals”, it said.