A chance for the secure transfer of personal data to the USA (?)

In a press statement on 7 October 2022, the White House indicated that: “Transatlantic data flows are critical to enabling the $7.1 trillion U.S.-EU economic relationship”. The problem, however, is that the legality of the transfer of personal data overseas is being questioned – due to virtually unrestricted access to personal data by US services and the lack of sufficient safeguards to protect the privacy of Europeans.

This is mainly because the Court of Justice of the European Union (CJEU) – by its judgment of 16 July 2020 (Case C-311/18) – annulled the existing Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU – U.S. Privacy Shield and consequently questioned the transfer of personal data from the EU to the US under the Privacy Shield programme. Previously, in 2015, CJEU – in its judgment C-362/14 – contested the Safe Harbour provisions, the previous basis for the transfer of personal data to the US.

As a result of the CJEU ruling in July 2020, the transfer of personal data to the US has been made much more difficult. Personal data can now be transferred under standard contractual clauses, based on Commission Implementing Decision (EU) 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (SCC), today replaced by Commission Implementing Decision (EU) 2021/914. However, the need to assess the degree of data protection existing in the third country, including the powers of the public authorities of that country regarding access to the transferred data, has been passed on data controllers. In making these decisions, controllers can draw on security assessments of transfers by supervisory authorities, including in particular the European Data Protection Board’s recommendations on transfers of personal data outside the European Union adopted on 10 November 2020.

The problem of ensuring an adequate degree of security for personal data transferred to the US, and thus the legality of such data transfers, is to be solved by a decree signed by President Joe Biden on 7 October 2022 – Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities – which aims to implement into the US legal system the provisions of the Trans-Atlantic Data Privacy Framework agreement concluded in March this year.

The decree requires the relevant state authorities to implement appropriate guidelines to guarantee effective protection of personal data, while limiting the ability of intelligence agencies to process personal data, which will have to examine the proportionality, appropriateness and necessity of the intended activities, and do so for strictly defined purposes related to the protection of national security. The use of personal data by US intelligence agencies will be subject to multi-level control: by a supervisory authority, as well as by a special Data Protection Review Court. This court will hear complaints from EU citizens about the improper processing of their personal data.

The Trans-Atlantic Data Privacy Framework agreement and the Decree signed by Joe Biden do not yet put in place a mechanism for the secure transfer of data to the US. Only a corresponding implementing decision of the European Commission, in which the Commission confirms an adequate level of data protection by the US – on the basis of Article 45 of General Data Protection Regulation (GDPR) – will provide the basis for a secure transfer of personal data from the EU to the US.

The implementation of the principles of ‘necessity’ and ‘proportionality’ as well as a formation of a special court is supposed to ensure an adequate level of data protection and limited access to data by US services. According to some, this is a breakthrough for the protection of personal data of Europeans in the USA, but according to others, there is no reason for euphoria, because the principles indicated will not be understood in the same way as in Europe under the GDPR regulation and the special court will only be an executive body. Time will tell whether the next decision of the European Commission will not be contested before the CJEU, like the two previous ones.