On July 10, 2023, the European Commission adopted a new mechanism for personal data transfer between the EU and the US – the Decision no. C (2023) 4745 (“the Decision”), which stipulates that the US provide adequate and appropriate level of protection, i.e., that corresponds to the one existing in the EU in terms of personal data transferred from the EU to the US companies, without the obligation to undertake any further protective measures. The Decision entered into force and started to apply on the day of its adoption.
However, this (third) attempt of the European Commission to establish the subject mechanism will probably be (re-)discussed before the European Court of Justice (“CJEU”). According to NOYB, the organisation of privacy activists, whose founder Max Schrems achieved the cancellation of previous mechanisms (judgements of the CJEU known as Schrems I and Schrems II), the arrangement established by the Decision is largely a copy of the Privacy Shield.
As a reminder, Privacy Shield is a legal mechanism used since 2016 as a basis for transfer of personal data from the EU to the US, which was put out of force by the decision of the CJEU of July 16, 2020 (when the decision of the European Commission 2016/1250 on EU-USA Privacy Shield arrangement was declared invalid).
In 2016, the Privacy Shield itself replaced Safe Harbour Privacy Principles, a legal document adopted by the EU and the US, which, alike the Privacy Shield, enabled controllers established in the US to certify under certain terms as safe controllers of personal data originating from the EU.
Privacy Shield issues
As we have already written in one of our previous articles (available here), Privacy Shield arrangement was abolished because there was a direct conflict between extensive powers of the authorities established by the US regulations on one side and fundamental rights guaranteed in the EU on the other side. In other words, it did not allow data subjects to exercise protection before an independent body, nor did it provide guarantees equivalent to those requested by the EU regulations, such as independence in work and legal force of the decisions that would be binding upon the US intelligence services.
Namely, while the US regulations (e.g., Foreign Intelligence Surveillance Act, i.e., FISA) are extremely restrictive with regard to personal data protection (i.e., enable significant interference with individuals’ privacy), the EU regulations since 1995 allow the transfer of such data outside the EU only if there is substantially equivalent protection in the destination country.
Content of the Decision
According to the information from the website of the European Commission, the new EU-US data privacy framework introduces new binding safeguards, which remove the reasons for which the CJEU abolished the Privacy Shield arrangement, including limited access to the EU data by the US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court, to which EU individuals will have access.
The new framework introduces significant improvements compared to the mechanism that used to exist within the Privacy Shield. For instance, if the Data Protection Review Court establishes that data were collected contrary to the new safeguards, it will be allowed to order their deletion.
According to the new mechanism, the US companies (as data recipients) will have access to it upon certification, i.e., by undertaking to abide by a series of rules and obligations established thereunder, such as the obligation to delete data once they become obsolete, as well as to ensure continuous data protection in case of sharing with third parties.
In addition to the Data Protection Review Court, the new framework provides for other redress mechanisms to individuals in case of personal data infringement, i.e., through arbitration procedure.
Position of the NOYB
However, according to NOYB, this latest attempt to regulate personal data transfer between the EU and the US does not introduce any substantial but rather cosmetic changes. For instance:
Although processing of personal data originating from the EU by the US intelligence services is formally limited to what is necessary and proportionate, NOYB deems that the notion “proportional” is differently interpreted in the US compared to the EU regulations and position of the CJEU on that matter, which may be a basis for future disputes;
The US failed to amend the FISA rules, notably Section 702, which refers to surveillance by competent US authorities over individuals outside the US through providers of electronic communication services, which rules are particularly problematic from the aspect of EU regulations.
In general, NOYB finds that the changes introduced by the Decision compared to the Privacy Shield are not at a satisfactory level, hence it announced that it will challenge the new framework before the CJEU. It therefore remains to be seen whether there will be Schrems III judgment in the future.
Significance of the EU decision on adequate level of personal data protection in the US for transfers from the Republic of Serbia to the US
When it comes to transfer of personal data between the Republic of Serbia and the US, the Decision on the List of countries, parts of their territories, one or several sectors of certain activities in such countries and international organisations which are deemed to have adequate level of personal data protection (Off. Gazette of RS no. 55/2019) established that the transfer of personal data from Serbia to the US is limited to the “Privacy Shield framework“.
Although the Privacy Shield arrangement was put out of force back in 2020, the stated decision has not been accordingly amended in the meantime.
Having in mind that the said decision still contains identical wording regarding the transfer of personal data to the US (limited to “Privacy Shield framework”), one can say that it also encompasses the legal framework, i.e., mechanism that has replaced the Privacy Shield, hence such transfer is allowed to the US companies that are certified in terms of the Decision.
However, it remains to be seen what position shall be taken by the Commissioner for Information of Public Importance and Personal Data Protection.
This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.
By Ivana Ruzicic, Managing Partner, and Lara Maksimovic, Senior Associate, PR Legal