Is it still possible to transfer the personal data of European citizens to the United States?
No. Not since European Commission president Ursula von der Leyen and US president Joe Biden signed a new “transatlantic data privacy framework” on 10 July, the third of its kind.
However, looking at the European Commission’s own press release, some limitations of the system are self-evident:
—Access to data by US intelligence authorities is limited to what is “necessary and proportionate” in order to protect national security, but nothing defines these two characteristics in the text signed by the two powers.
—It is up to the American intelligence services to ensure compliance with the limitations on surveillance activities.
—An independent and impartial redress mechanism has been put in place, including a new Data Protection Review Tribunal to investigate and resolve complaints about access to their data by the US national security authorities--but the legal framework within which this authority will sit isn’t clear.
Insufficient, says Max Schrems
That said, European citizens who feel they have been wronged in the United States can lodge an appeal with their own national authority, the CNPD in Luxembourg, which will forward the complaint to the European Data Protection Committee, which in turn will ensure that the complaint reaches the right place: Rebecca Richards, the new (since 16 March) chief of civil liberties, privacy, and transparency office in the US Office of the Director of National Intelligence.
The review tribunal mentioned above will be made up of members chosen from outside the US government, appointed on the basis of specific qualifications--but they will not really have any legal existence. Rather, it will be an administrative authority that will tell citizens one of two things: that their data has not been manipulated illegally, or that the administration has requested corrective measures. Nobody really knows, as of today, whether this body’s decisions will be subject to appeal, or even where they would be.
given by Biden in October should clarify the situation, except that it doesn’t say what sanctions an offending agency would face. For Austrian lawyer Max Schrems, this is not enough. “We now had ‘harbors,’ ‘umbrellas,’ ‘shields,’ and ‘frameworks’--but no substantial change in US surveillance law.” he explains in a press release from the European Centre for Digital Rights (Noyb). “The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is ‘new,’ ‘robust’ or ‘effective’ does not cut it before the [EU] Court of Justice. We would need changes in US surveillance law to make this work--and we simply don’t have it.”
2,500 companies already in compliance with the DPF
Meanwhile, in a move that would probably have pleased René Magritte, the DPF (“data privacy framework”) is not a “label” but merely the representation of a label. And 2,500 American companies have already complied with the self-certification mechanism, on a new site launched by the US Department of Commerce. Companies must also pay a contribution of between $250 and $10,000, depending on their turnover, to the American Arbitration Association to finance the amicable settlement of disputes.
While certification is a self-declaration with no strings attached, it seems clear that, given the context and the ever-businesslike orientation of the Americans, many will want to have this recognition, which, once again, says little about the reality of data management in these companies.
This article in French in Paperjam. It has been translated and edited for Delano.