Berlin A solution is emerging in the years-long dispute between the EU and the USA over the transfer of personal data across the Atlantic. US President Joe Biden signed a decree on Friday morning in Washington that sets stricter rules for “signal intelligence”, i.e. the electronic reconnaissance of the US secret services.
This is to address the concerns of the European Court of Justice (ECJ), which has invalidated agreements on the transfer of data from Europe to the United States in two decisions. The Austrian lawyer Max Schrems initiated the proceedings with his data protection association “noyb”.
In the judgments Schrems I (Az.: C-362/14) and Schrems II (Az.: C 311/18), the ECJ came to the conclusion in 2015 and 2020 that the level of data protection in the USA did not meet the standards correspond to the EU. Above all, EU citizens could not adequately defend themselves against the extensive access options for US secret services to their data.
It is of great importance for the economy in Europe that there is now movement on the subject. For years, companies have been waiting for a legally secure solution for global data and business transactions.
Top jobs of the day
Find the best jobs now and
be notified by email.
The US regulation first formulates the conditions under which the collection of data from private individuals is permitted – for example in the fight against terrorism or to protect national security. At the same time, Biden’s decree sets out when data espionage is generally impermissible, for example when it is done with discriminatory intent.
Fines of up to 20 million euros are possible without a new agreement
Even in cases in which US authorities are allowed to intercept and analyze data, they will in future have to prove that their measures serve to avert security and are proportionate. In particular, they must be able to show that there are no less far-reaching options for intervention.
>> Read here: These are the biggest data protection annoyances for companies
The most important innovation, however, is the establishment of an independent court to which EU citizens who see their civil rights violated by US intelligence services can turn. This court, the Data Protection Review Court, can make binding judgments and force the intelligence agencies to stop certain espionage activities. This gives Europeans the opportunity to sue in the USA.
The EU Commission is satisfied. A senior official speaks of “an important step” that not only represents an improvement of the existing rules, but also leads to a completely new legal framework to protect the rights of European Internet users. “Every US intelligence agency must now review their activities,” the official said. The Commission is confident that the new privacy shield will stand up to the CJEU.
That would be very important for companies. Because since the court decisions, they have been operating practically in a legal vacuum. Many US cloud services, such as Amazon or Microsoft, collide with the European General Data Protection Regulation (GDPR).
The same goes for Facebook. The parent company has already warned that the online network and Instagram will probably have to be discontinued in Europe if there is no new data protection agreement.
Fines of up to 20 million euros are possible against companies, including many from Germany, who still use the US services.
Biden’s decree could now mean a big step towards legal certainty. In any case, what is now available is the result of months of negotiations between the EU and the US government. In March, both sides had reached a political agreement, which the Americans have now translated into a legal text.
Experts see the new data deal as a success for Brussels
Next up are the Europeans. In the coming weeks, the Commission will develop its own legal act, the so-called adequacy decision. This is one of the instruments provided for in the General Data Protection Regulation (GDPR) for the transfer of personal data from the EU to third countries, which guarantee a level of protection comparable to that of the EU.
Such a decision would allow personal data to flow freely and securely from the EU to the third country in question, without the need for any further conditions or approvals. This means that data can be transmitted to the relevant third country in the same way as within the EU.
>> Read here: Dax bosses “greatly concerned” about US cloud risks – traffic light parties want a secure legal basis
However, certain criteria apply. For example, individual rights, independent oversight and “effective” remedies against actions by US authorities must be guaranteed.
The EU Commission now sees these conditions as fulfilled. She expects that the adequacy decision can be adopted in a binding manner next spring. To do this, she still has to obtain the opinions of the European Data Protection Board and the EU Parliament. In addition, the member states must agree with a qualified majority. There is no veto option for a single country.
Experts see the agreement as a success for Brussels. “The Commission has asserted itself on crucial points and achieved far-reaching concessions,” says Tyson Barker of the German Council on Foreign Relations. The US government wanted to clear up the issue in order to preserve the transatlantic flow of data. “President Biden has invested a tremendous amount of political capital in cultivating the US-EU relationship, more than any of his predecessors.”
More: Bitkom President warns: The lack of a data protection agreement with the USA “will massively damage the German economy”