EU confirms draft decision on replacement US data transfer pact:
The European Commission has announced a draft decision on U.S. adequacy, paving the way for a replacement EU-U.S. data transfer deal to be adopted next year.
The draft adequacy decision for the EU-U.S. Data Privacy Framework (DPF), as it's called, can be downloaded here.
The Commission's draft is a key step in years of tortuous bilateral process which the EU's executive body and U.S. counterparts hope will finally bring legal certainty to transatlantic exports of EU personal data — which have been shrouded in risk after earlier agreements were invalidated by the bloc's top court, back in July 2020 and October 2015, over the legal disconnect between European privacy rights and U.S. surveillance powers.
Resolving that schism has been — and remains — the key sticking point for EU-U.S. data transfers. It means any new deal on transatlantic data transfers will undoubtedly face legal challenges to test whether this fundamental clash has really been resolved.
But even just getting a replacement agreed on paper, after the last two deals were torn up by the Court of Justice of the EU (CJEU), has been a major effort and challenge.
Yesterday the EU's justice commissioner, Didier Reynders, told a Politico event that he hoped the new pact would be finalized before July next year — and he gave it a '7 or 8 out of 10' chance of withstanding legal challenge. So even the Commission is not 100% on this surviving.
[...] "US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, for instance, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties," the Commission writes. "EU citizens will benefit from several redress avenues if their personal data is handled in violation of the Framework, including free of charge before independent dispute resolution mechanisms and an arbitration panel.
[...] In a statement on the Commission's draft decision announcement, noyb, the privacy and digital rights not-for-profit advocacy group founded by Max Schrems — whose surname has become synonymous with successful challenges to EU-U.S. data transfer deals — predicts the DPF will fail in front of the CJEU.
"The CJEU required (1) that US surveillance is proportionate within the meaning of Article 52 of the Charter of Fundamental Rights (CFR) and (2) that there is access to judicial redress, as required under Article 47 CFR. Updated US law (Executive Order 14086) seems to fail on both requirements, as it does not material change the situation from the previously applicable PPD-28. There is continuous 'bulk surveillance' and a 'court' that is not an actual court. Therefore, any EU 'adequacy decision' that is based on Executive Order 14086 will likely not satisfy the CJEU," noyb said in a press release.
Its analysis of the deal-in-principle between the two sides, based on the text of the U.S. EO, is that changes "seem rather minimal" and the agreement "underperforms when it comes to the protection of non-US persons", as it puts it — hence it's predicting the third deal won't pass muster with the CJEU either.
Commenting in a statement, Schrems added: "We will analyze the draft decision in detail the next days. As the draft decision is based on the known Executive Order, I can't see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again — in flagrant breach of our fundamental rights."
(Score: 2) by canopic jug on Friday December 16, @03:15PM
There is also a publication from 15 December 2022 about a European Declaration on Digital Rights and Principles [europa.eu], in multiple languages. Word from last month was that the right to privacy, specifically encryption, was left out. Indeed, encryption is not named though privacy is. It will be up to the interpretation I guess, but since the whole declaration is non-binding it doesn't really amount to much either way. I hope that the replacement US Data Transfer Pact will have much more substance.
Money is not free speech. Elections should not be auctions.