Adequacy decision for the EU – US framework regarding data protection
By Mugurel Olariu, RPD protectie date
Continuation of the previous article
4. What are the limitations and safeguards on access to data by United States intelligence agencies?
A key element of the US legal framework on which the adequacy decision is based concerns the Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities,” which was signed by President Biden on October 7 and is accompanied by regulations adopted by the general prosecutor. These instruments were adopted to address the issues raised by the Court of Justice in its Schrems II judgment.
For Europeans whose personal data is transferred to the US, the Executive Order provides:
• Mandatory safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
• Increased surveillance of activities by US intelligence services to ensure compliance with limitations on surveillance activities; and
• Establish an independent and impartial redress mechanism, including a new data protection review court to investigate and resolve complaints about access to their data by US national security authorities.
5. What is the new national security compensation mechanism and how can individuals use it?
The US government has established a new two-tiered, independent and binding redress mechanism to deal with and resolve complaints from anyone whose data has been transferred from the EEA to US companies about the collection and use of their data by the US . intelligence agencies.
For a complaint to be admissible, individuals do not have to prove that their data was actually collected by US intelligence agencies. Individuals can lodge a complaint with their national data protection authority, which will ensure that the complaint is properly forwarded and that any further information regarding the procedure, including the outcome, is provided to the individual. This ensures that individuals can turn to an authority close to home, in their own language. Complaints will be forwarded to the United States by the European Data Protection Board.
First, complaints will be investigated by the so-called “Civil Liberties Protection Officer” of the US intelligence community. This individual is responsible for ensuring US intelligence agencies’ compliance with privacy and fundamental rights.
Second, natural persons have the possibility to challenge the decision of the civil liberties protection officer before the newly created Data Protection Supervisory Court (DPRC). The court is composed of non-U.S. government members who are appointed based on specific qualifications, may be removed only for cause (such as a criminal conviction or being deemed mentally or physically unfit to perform their duties), and may not receive instructions from the government. The DPRC has powers to investigate complaints from EU individuals, including obtaining relevant information from intelligence agencies, and can make binding remedial decisions. For example, if the DPRC were to find that the data was collected in violation of the safeguards set forth in the executive order, it can order the deletion of the data.
In each case, the Court will select a special counsel with relevant experience to assist the Court, who will ensure that the applicant’s interests are represented and that the Court is well informed of the factual and legal aspects of the case. This will ensure representation of both parties and introduce important safeguards in terms of due process and fair trial.
Once the ombudsman or the DPRC completes the investigation, the complainant will be notified that either no violation of US law has been identified or that a violation has been identified and remedied. At a later stage, the applicant will also be informed when any information about the proceedings before the DPRC – such as the Court’s reasoned decision – is no longer subject to confidentiality requirements and can be obtained.
6. When will the decision apply?
The adequacy decision entered into force upon its adoption on July 10.
There is no time limit, but the Commission will continuously monitor relevant developments in the United States and regularly review the adequacy decision.
The first review will take place within one year of the entry into force of the adequacy decision, to verify that all relevant elements of the US legal framework are effectively working in practice. Subsequently, and depending on the outcome of the first review, the Commission will decide, in consultation with EU Member States and data protection authorities, on the frequency of future reviews, which will take place at least once every four years.
Adequacy decisions can be adapted or even withdrawn in case of developments affecting the level of protection in the third country.
7. What is the impact of the decision on the possibility to use other tools for data transfers to the United States?
All safeguards that have been put in place by the US government in the area of national security (including the redress mechanism) apply to all GDPR data transfers to US companies, regardless of the transfer mechanisms used. Therefore, these safeguards also facilitate the use of other instruments such as standard contractual clauses and binding corporate rules.
