Berlin What the European Commission recently announced reads as if the economy could actually breathe a sigh of relief. The Brussels authority said the way was clear for an urgently needed legal framework for the transmission of data from Europeans to the USA.
However, experts are by no means convinced by this assessment. Baden-Württemberg’s data protection officer, Stefan Brink, was surprised at the advance of the EU Commission in view of the many unanswered questions. He therefore has “doubts as to whether equivalent protection of personal data can be achieved,” Brink told the Handelsblatt.
The prominent Austrian lawyer Max Schrems expressed clear criticism of the announcement from Brussels. “This is a deliberate violation of the rule of law and a disregard for the European Court of Justice,” Schrems told the Handelsblatt.
Schrems, chairman of the international data protection organization Noyb, has twice brought lawsuits that have brought down the basis for data traffic and will in all likelihood try again. “I’m 95 percent assuming that we will also sue against the new decision,” he said.
Six out of ten companies in Germany use international data transfers
A legally secure basis for data transfer to the USA would be immensely important for companies. In July 2020, the European Court of Justice (ECJ) overturned the then agreement (“Privacy Shield”) between the USA and the EU due to data protection deficiencies. Above all, the judges criticized the far-reaching access possibilities of US secret services.
>> Read also: Dax bosses “greatly concerned” about US cloud risks – traffic light parties want a secure legal basis
The “Privacy Shield” came about in 2016 – after the previous “Safe Harbor” regulation had also been overturned by the ECJ.
As a result of the ECJ ruling, important US cloud providers such as Amazon, Microsoft and Google lack a legal basis for their services in Europe. You are thereby violating the European General Data Protection Regulation (GDPR). Fines of up to 20 million euros are possible against companies that use the services.
Many people accept the risk – inevitably. Because data transfers are “an essential part of the entire economy and also of science,” explains Susanne Dehmel from the IT association Bitkom. “The impediment or even prevention of data transfers is at least as serious for German and European companies as the interruption of supply chains.”
According to a current Bitkom study, six out of ten companies in Germany (60 percent) transfer personal data to countries outside the EU.
In order to smooth a way out of the legal dilemma, the EU Commission proposed in mid-December that data protection in the USA be recognized as equivalent to that in Europe. We are talking about an “appropriateness decision”. Several bodies have yet to confirm this.
US President Joe Biden had previously decreed that the US secret services limit their access to European data to what is necessary and proportionate to protect national security. A complaints office has also been set up to function like a court. The EU Commission speaks of “significant improvements” compared to the “Privacy Shield” data protection agreement.
Schrems accuses the EU Commission of “beautification attempts”.
The Austrian lawyer Schrems cannot confirm this after his analysis. “So far, we have not found anything in the American decisions or in the EU Commission’s proposal that would legally secure the flow of data between the EU and the USA,” he told Handelsblatt. “These are attempts at beautification, nothing more.”
The Austrian lawyer has already won several data protection cases before Europe’s highest court.
(Photo: AP)
The privacy advocate Brink sees it similarly. He does not assume that the regulation (“Executive Order”) presented by Biden will stand up to the strict requirements of the ECJ. It is questionable to what extent an executive order can even be an effective instrument for implementing the GDPR requirements. “It represents an internal instruction to the government and subordinate authorities and is not a law that has been passed by parliament and is therefore final.” Compliance with an executive order is not legally enforceable, especially for EU citizens.
In addition, it is not clear how the executive order relates to other existing US laws such as the “Cloud Act”. The law obliges US companies to pass on stored customer data to law enforcement authorities in the US – for example in the event of suspicion of terrorism. Brink said the restrictions on data processing that Biden has now promised in certain cases are not very convincing.
Because the interpretations of what is proportionate in this regard and what is not are different in Europe and the USA. It therefore remains unclear when, from the point of view of the USA, data access for national security purposes will remain permissible.
>> Read also: German companies in the data protection trap – authorities intensify investigations into US cloud use
A major innovation that Biden is offering to Europeans is the establishment of an independent court to which EU citizens who feel their civil rights have been violated by US intelligence services can turn. This court, the Data Protection Review Court, is designed to make binding judgments and compel intelligence agencies to stop certain espionage activities. This should give Europeans the opportunity to sue in the USA.
Data protection officer Brink: The system change requested by the ECJ is not taking place
Here, too, Brink expressed doubts. “This Data Protection Review Court will be set up within his department according to the decree of the Minister of Justice,” said the data protection officer. “He is likely to be assigned to the executive, which contradicts his independence.”
The European Court of Justice not only demanded legal remedies against state spying, but also an end to surveillance without cause. “But that cannot be assumed at the moment,” says Brink. The “system change” demanded by the ECJ will therefore not take place”.
>> Read also: These are the biggest data protection annoyances for companies
Schrems warns the EU of another failure. The ECJ has already overturned the legal basis for data transfer twice. “Now the Commission is just making the same decision again,” he said. That is legally and politically problematic: “The EU Commission denounces constitutional deficiencies in Hungary and Poland, but turns a blind eye to the USA.”
The EU Commission does not want to comment directly on the criticism. However, a spokesman said they were confident that the points that the ECJ had objected to had now been resolved. There are now strict security precautions and restrictions for access by US secret services.
The affected US Internet companies are therefore pushing for a new EU-US agreement as quickly as possible. “We call on the EU member states to approve the adequacy decision immediately and to restore legal certainty for companies on both sides of the Atlantic,” said Alexandre Roure from the CCIA association, which represents the interests of companies such as Amazon, Google and other cloud providers from the USA represents. The US government has taken historic steps.
More: Tighter borders for US intelligence agencies: Biden paves the way for a new transatlantic data agreement