Four years have now passed since 25 May 2018, the date of entry into force of the General Data Protection Regulation (GDPR), a European regulation defined to protect the personal data of European citizens. A couple of years earlier the United States of America had introduced the Privacy Shield (“privacy shield”) to allow the exchange of personal data between the EU and the USA, certifying a treatment in line with what is defined in the GDPR.
In 2015, before the GDPR entered into force, Maximillian Schrems, an Austrian lawyer and privacy activist, raised before the Court of Justice of the European Union the failure of non-EU countries to protect the personal data of European citizens . The Court of Justice of the European Union, (CJEU) ruled on 16 July 2020. We allude to the sentence Schrems II: the Privacy Shield has been invalidated as a tool for transferring data from the EU to the US. The reason is that it does not sufficiently protect the data of European citizens. Consequently, the American system could not yet be considered aligned with the European one.
In particular, with the Privacy Shield, the US authorities did not respect the access and use of data (especially related to interceptions) transferred from the EU to the US. The tool was considered too invasive. The principles of proportionality and data minimization were not respected. Nor was there provision for an independent and impartial appeal mechanism.
European companies have therefore found themselves disoriented in the face of this change and in the need to stop sending data to the USA or to use what are called Standard Contractual Terms (SCC) to regularize data processing.
The need to align European and American legal systems sees a first step forward on 7 October. US President Joe Biden signs the Executive Order, implementing the agreement made with European Commission President Ursula von der Leyen in March 2022 on the simplified restoration of the flow of personal data from the EU to the US, through the introduction of a “Privacy Shield 2.0”. The future “Privacy Shield 2.0” should, therefore, restrict access to EU data by US intelligence services and establish a data protection review tribunal.
Let us therefore try to deepen the innovations introduced by the recent Executive Order.
The first change concerns the intelligence activities Americans that will have to be limited to what, following in-depth analysis, actually results necessary. Furthermore, the principle of proportionality between the guarantee of national security and the fundamental rights and freedoms of natural persons. The attempt to introduce small improvements regarding respect for privacy in the American legal system is certainly to be appreciated; in the past, intelligence services could process the personal data of European citizens simply when they deemed it “reasonable”. On the other hand, however, it will be necessary to better understand how the new limits will be implemented and respected in the future.
The second important change concerns the establishment of a judicial appeal system to which European citizens have recourse and from which they can obtain a binding, independent and impartial remedy. The first level is represented by the Civil Liberties Protection Officer (CLPO) who, following an investigation, defines the actions to remedy the damage; the decision of the CLPO can also be appealed to the Data Protection Review Court (DPRC) – the second level – composed of three independent judges.
In the days following the signing of the Executive Order, considerable doubts emerged about the independence of both the CLPO, as it reports directly to the Director of National Intelligence, and the DPRC, as the judges are appointed by a government body. To tell the truth, in the case of the DPRC there are guarantees similar to those which guarantee the independence of our Authorities (e.g. irremovability of judges).
We must also consider that the Privacy Shield it was canceled as American laws were not comparable to European ones. Many industry experts are these days wondering how an executive order, not being a law and consequently not being able to amend the laws, will be able to resolve the misalignment. NOYB, the association founded by Maximillian Schrems, deems it unlikely that the signed Executive Order will bring American discipline closer to the European one.
The next step will be taken by the European Commission, which will soon have to produce an adequacy report on the US legal system. The draft of the report will then be shared with the European Data Protection Board (EDPB) and with a committee made up of Member States. However, both the opinions of the EDPB and the Member States will not be binding.
In the event of a positive final opinion from the Commission, the data of European citizens will once again circulate freely towards those who have been certified as “Qualifying States”, i.e. countries or regional organizations that have demonstrated adequate laws in the conduct of intelligence activities, which allow the transfer of personal information for commercial purposes and which promote the national interests of the United States.
In the event of a negative opinion, however, companies that export data to the USA will continue to use the Standard Contractual Clauses (SCC) as the only possibility.
European and American companies are therefore awaiting the opinion of the European Commission today, which should arrive by the end of the year. The attempt to harmonize the American legal system with the European one in terms of privacy was appreciated. In fact, it introduces concepts of necessity of treatment, minimization, proportionality, possibility of recourse. Yet the fear is that all this may once again not be enough and even lead to a case Schrems III.