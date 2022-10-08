The US has taken an important step towards a new data protection agreement with the EU. But Max Schrems threatens to sue again. Breakthrough for legally compliant data transfer or old wine in new bottles? US President Joe Biden has paved the way for a new data protection agreement with the EU by signing a new executive order. The new regulations are intended to improve the protection of EU citizens' personal data from access by US secret services. In addition, EU citizens should be better able to defend themselves against surveillance measures. But mass surveillance remains allowed.

US President Joe Biden has issued a new data protection regulation (symbolic photo). White House/Reuters creative commons

The background to the decree published by the White House on October 7, 2022, is a decision by the European Court of Justice (ECJ) from July 2020, with which the existing data protection agreement, the so-called Privacy Shield, was declared insufficient. In March 2022, EU Commission President Ursula von der Leyen and Biden announced that they would agree in principle on a successor regulation in order to put data exchange between the USA and the EU back on a secure legal basis.

Mass surveillance remains allowed

In its judgment, the ECJ had above all criticized the far-reaching access options for US secret services to data from Europeans. According to the decree, however, the US secret services are still permitted to carry out bulk surveillance (bulk collection) of telecommunications. However, this will only be approved "if the information required to support a validated intelligence priority cannot be obtained in an appropriate manner through targeted surveillance".

The secret service that uses mass surveillance should use "appropriate methods and technical measures" to limit the data collected to what is necessary and "reduce the collection of irrelevant information to a minimum". In general, intelligence activities may only be conducted to an extent and in a manner "proportionate to the validated intelligence priority for which they were authorized".

The decree also identifies six threats that mass surveillance can be used to combat. These include terrorism and the proliferation of weapons of mass destruction, but also malicious cyber activities and international financial crimes.

Two-stage complaints procedure

The decree also contains a new complaints mechanism that EU citizens can use to object to the collection of their data by US authorities. As a first step, a Civil Liberties Protection Officer (CPLO) attached to the US Intelligence Coordinator will investigate the complaint. The officer checks whether, for example, the regulations of the new decree or other US regulations have been violated.

The Biden decree also empowers the US Attorney General to establish a so-called Data Protection Review Court (DPRC). A three-person panel may conduct an independent and binding review of the Ombudsman's decisions at the request of the data subject or a representative of the intelligence community. The members of the court should be "lawyers with appropriate experience in the field of data protection and national security law, giving preference to those with previous judicial experience". They are not said to be U.S. government employees at the time of their initial appointment.

The EU Commission must make a decision

The so-called Privacy and Civil Liberties Oversight Board (PCLOB) is also to review the activities of the US secret services for compliance with the new regulations. The committee will also examine whether the secret services are cooperating sufficiently in the complaints procedure and whether they are implementing the requirements of the two new instances.

On the basis of the new decree, the EU Commission must now once again make a so-called adequacy decision. The Commission thus establishes that a comparable level of data protection as in the EU exists in a third country. However, the Commission must consult the European Data Protection Board (EDPB) and the European Member States. Observers, therefore, do not expect a decision to be made in spring 2023.

However, it cannot be ruled out that data protection activists such as the Austrian Max Schrems will again bring the EU Commission's decision to the court. In an initial statement, Schrem's Noyb organization expressed skepticism about the Biden decree.

Support the Creator, Support Journalism

Your Support Can Help Us Bring More Investigative and Quality Content For You. Buy Me a Coffee Here!