On 10. July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. Based on this decision, personal data can flow freely from the EU to companies in the United States that participate in the Data Privacy Framework. The adequacy decision followed the adoption of Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’. These instruments introduced new binding safeguards to address the points raised by Court of Justice of the European Union in its Schrems II decision of July 2020, ensuring that data can be accessed by U.S. intelligence agencies only to the extent necessary and proportionate. The decision intends to serve as a new data protection agreement between the EU and the US. For all EU companies that use US services and thereby transfer personal data to the USA, the EU-US Data Privacy Framework and the corresponding adequacy decision offer a seemingly significant relief. However, are European data sufficiently protected this time?
Urban Forum and SINOPRESS held an online forum on the topic of EU-US Data Transfer on 7. November, offering an open, insightful, and rewarding discussion about the issue.
The panelist Mr. Günther Sidl from the European Parliament stated that the decision on 10. July provides indeed a new basis for the transfer of personal data from the EU to the US, following the declaration by the European Court of Justice (ECJ) of its predecessor “Privacy Shield 2020” to be invalid due to serious data protection deficiencies. The existence of a basis is very important in itself, as it requires clear and strict rules for the handling and transfer of personal data. The protection of privacy is an enshrined fundamental right. With the General Data Protection Regulation (GDPR), the Union has a responsibility to ensure that European data is treated and protected globally according to European criteria. If companies based in the USA process European data, it must be protected according to European criteria.
Mr. Ludwig Sadredin Sahesch-Pur from Pur Consulting, on the other hand, pointed out that it is important to understand how privacy frameworks for data law originally emerged or were created in Europe and elsewhere. Once the development journey understood, the future trends and directions will be presented better, such as the importance of its framework, the angle from which penalties and fines are formed, and the global power game and interest drive. Regarding the privacy framework of data laws, Mr. Ludwig Sadredin Sahesch-Pur stressed, the main goal should be to learn the methods of different countries through tolerance and integrity, and to connect different ideological points to form a final consensus through the overall view and mutual commitment.
It is not easy to reach a final consensus. Some countries appear to be tightening relevant laws. For example, in early 2023, the Irish Data Protection Commission (DPC) announced the end of its investigation into WhatsApp Ireland Limited (due to its violation of GDPR and imposed a fine of 5.5 million Euros on it. But this amount is a joke and less than the daily income of these multinational groups, Mr. Ludwig Sadredin Sahesch-Pur said.
In terms of violating the EU’s General Data Protection Regulation, the well-known NGO noyb once mentioned that the Norwegian Consumer Council (NCC) filed a complaint against Grindr (a dating app) to the Norwegian Data Protection Authority in 2020, who conducted a penalty limited to a fine of NOK 65 million (approximately 5.8 million euros). noyb believes that this sends a clear signal to all companies involved in commercial surveillance that sharing personal data (with US companies) without sufficient legal basis can have serious consequences.
noyb seems to have criticism against the EU at the moment, too, thinking that the EU is acting in a confused way. In September 2023, the European Commission used micro-targeting on Twitter (X) to promote the controversial chat control and has been since seeking public support and pressuring governments to accept the proposed decree. This practice undermines established democratic processes between EU institutions and violates the EU’s General Data Protection Regulation. Another NGO Epicenter.works expressed hope that in an era of rapid increase in cybercrime, security authorities in EU countries should strengthen network data security protection instead of deliberately weakening it. Only in this way can the data transfer consensus reached between the EU and the United States truly benefit the full protection of private data in Europe.
Mr. David Kainrath mentioned a recent event held by BSA Favoriten in Vienna, where he invited Mr. Marek Gerhalter from DSB (the Austrian Data Protection Authority) to talk about the adequacy decision between the EU and the United States on July 10, 2023. The latter believed it to be partially applicable, and the actual implementation is probably around 70% to 80%. The adequacy decision only covers data transfers from U.S. data importers on the so-called Data Privacy Framework list. That is, if a U.S. data importer appears on the list, it must rely on an adequacy decision before it can transfer personal data. Otherwise, no further action is required. Before carrying out a corresponding data transfer, therefore, the data exporter shall check whether its transfer falls within the scope of the new adequacy decision in accordance with Article 5(2) of the EU General Data Protection Regulation or take into account other transfer rules already in use. The new adequacy decision will undergo a preliminary review by the European Commission one year after it takes effect, as a matter of fact.
During the forum, Ms Regina Roos from Typhoon HIL opined that to understand the implications of this decision as a governance device, one must examine the political and social facts surrounding it, not only in the European Union and in the United States but also in other countries like China. The decision should be thus seen as one part of a larger puzzle. To place an independent fiduciary intermediary between Big Techs and data subjects, there is a need for a comprehensive approach that ensures proportionate access to data as well as tackles the concentration of data power in the hands of a few tech giants. The decision serves as a vital building block, but it should be viewed in the broader context of global data governance, digital sovereignty, and the regulation of Big Techs to truly protect data subjects in an era where a small number of companies hold the world’s majority of data, Ms Regina Roos concluded.
Data transfers are a central component of the global economy across all sectors and also in science. However, the content is personal and sensitive, the protection of which is a central fundamental right, Mr. Günther Sidl added. “We want to create a legally sustainable basis in which all interests and fundamental rights are fully taken into account. This gives companies legal certainty when they transfer personal data between the EU and the USA. Small and medium-sized enterprises, in particular, could benefit from the elimination of the need for case-by-case audits in future,” he said, “however, it remains to be seen whether the ‘new regulation’ will last in the long term and sufficiently protect the fundamental rights enshrined in primary law in the European Charter of Fundamental Rights. It remains to be seen whether the Data Privacy Framework represents a legally robust regulation that adequately protects the fundamental rights of European citizens.”
In his conclusive words for the forum, Mr. Bernhard Müller from Urban Forum stated that the 10. July decision stipulates the United States to guarantee an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies within the new framework. But data protection organizations have already announced legal action against the new agreement. Critics believe that the new data protection agreement is largely a copy of the failed “Privacy Shield” agreement. The protection of sensitive data is a central fundamental right. From today’s perspective, it is not yet clear whether a long-term solution to the problem has been found.