DATA PROTECTION
Baden-Württembërg Data Protection Authority: concerns about the EU-US Data Transfer based on the US Executive Order.
After the report released by the Congressional Research Center of the US Congress - which highlighted the limits of the Executive Order ("EO") signed by President Biden on 7 October 2022 (implementing the new EU-US agreement for the transfers of personal data), highlighting that it could not pass the probable future scrutiny of the CJEU, the even more reasoned examination of the EO by the German Data Protection Authority of Baden-Württembërg speaks of "significant deficits" and "unanswered questions" of the Executive Order.
For the German Authority:
(A) there is "considerable legal ambiguity" and doubts that an EO is a suitable tool to implement the requirements of the GDPR: it is an internal instruction (subject to withdrawal) to the government and authorities and it is not a law passed by the US Congress;
(B) the EO is not legally binding, especially for the protection of EU citizens;
(C) the relationship between the EO and other US laws (ex: the Cloud Act) is unclear;
(D) the interpretation of the concept of proportionality differs in the EU and the US so it is not clear when, from the US point of view, access for national security remains permitted;
(E) the conditions for complaints from EU citizens and access to the new Personal Data Tribunal seem to hinder the full exercise of rights;
(F) the complainants are not expressly informed if they have been the subject of intelligence activities but only receive a standard message on the completion of the investigation into the complaint;
(G) the Personal Data Tribunal is established within the Executive, which contradicts its judicial independence;
(H) the CJEU - in the Schrems II ruling, asked not only for legal remedies against interference by government agencies but also the end of any unjustified surveillance but the EO does not set rules on this;
(I) the EU Commission will now have to decide whether there is equivalent protection of personal data in the US but it is questionable whether an adequacy decision can be based on an EO;
(L) the US government should finally adopt EU jurisprudence and commit to European rules.
The analysis is available here.
For the German Authority:
(A) there is "considerable legal ambiguity" and doubts that an EO is a suitable tool to implement the requirements of the GDPR: it is an internal instruction (subject to withdrawal) to the government and authorities and it is not a law passed by the US Congress;
(B) the EO is not legally binding, especially for the protection of EU citizens;
(C) the relationship between the EO and other US laws (ex: the Cloud Act) is unclear;
(D) the interpretation of the concept of proportionality differs in the EU and the US so it is not clear when, from the US point of view, access for national security remains permitted;
(E) the conditions for complaints from EU citizens and access to the new Personal Data Tribunal seem to hinder the full exercise of rights;
(F) the complainants are not expressly informed if they have been the subject of intelligence activities but only receive a standard message on the completion of the investigation into the complaint;
(G) the Personal Data Tribunal is established within the Executive, which contradicts its judicial independence;
(H) the CJEU - in the Schrems II ruling, asked not only for legal remedies against interference by government agencies but also the end of any unjustified surveillance but the EO does not set rules on this;
(I) the EU Commission will now have to decide whether there is equivalent protection of personal data in the US but it is questionable whether an adequacy decision can be based on an EO;
(L) the US government should finally adopt EU jurisprudence and commit to European rules.
The analysis is available here.
