Open letter by noyb on the EU-US data transfer deal
It warned the Commission against looking to buy 'another couple of years' by agreeing to an arrangement that undermined the judgments of CJEU
The data privacy activist group, 'none of your business' (noyb) has recently published an open letter on the planned European Union-United States (EU-US) data transfer deal.
The letter was addressed to the EU Commissioner for Justice, the US Secretary of Commerce, the EDPB Chair, the Chairman of the European Parliament's Committee on Civil Liberties, Justice and Home Affairs, and the Justice Advisor at the Permanent Representation of France to the EU.
The letter followed the announcement of an agreement in principle for a new Trans-Atlantic Data Privacy Framework (TADPF), which noyb claimed largely 'repeated' the previous EU-US Privacy Shield that was invalidated by the Court of Justice of the European Union (CJEU) in the landmark Schrems II decision.
The note made several observations, raising criticisms of the TADPF position expressed to date. However, it acknowledged that the text remained to be negotiated.
- The TADPF would rely on US executive orders, which would be 'structurally insufficient' to satisfy the CJEU's requirements and may not allow data subjects to enforce limitations in court.
- Replacing the current Presidential Policy Directive 28 on Signals Intelligence Activities with an executive order referencing the 'necessity and proportionality' of national security interests, was no substitute for amending the law and a substantive change in approach to the proportionality of US surveillance practices.
- The proposals for a new Data Protection Court constitute the creation of an executive 'body' (with limited independence) to deal with potential violations of the US laws and executive orders. Noyb did not consider that the approach satisfied the requirement for an effective and independent means of judicial redress for EU data subjects.
- The lack of updates to the previous Privacy Shield principles was problematic on the assertion that they referred to old laws, did not reflect current elements of the GDPR (eg: processing to be necessary and reliant on a legal basis, right of access), and more generally, were not 'essentially equivalent to the GDPR.'
- The negotiators should look to protect the rights to privacy and data protection, irrespective of geographical location and citizenship, in contrast to the approach currently taken by the likes of FISA 702 and US executive orders (which refer to the US/non-US persons).
In the letter, noyb stated that it was prepared to challenge any final adequacy decision that it considered failed to provide the required legal certainty.