U.S. & EU Reach Preliminary Deal on Data Privacy

Dear Data-Traveller, please note that this is a Linkedin-Remix.

I posted this content already on Linkedin in March 2022, but I want to make sure it doesn´t get lost in the social network abyss.

For your accessibility-experience and also for our own content backup, we repost the original text here.

Have a look, leave a like if you like it, and join the conversation in the comments if this sparks a thought!

Original post:

Plain text and link to Wall Street Journal article:

„At issue in the talks has been whether the U.S. could convince the EU—and its top court—with new administrative appeals mechanisms for Europeans, but without a change to U.S. law, which would require approval by Congress, people briefed on the talks have said in recent months.“

That does not sound promising to me but maybe administrative appeals are much more powerful than they sound like.

Link to Article

Ok. Alexander Hanff easily depends my concerns:

Just a quick heads up in relation to the announcement regarding a new deal for data transfers to the US.

First of all a *lot* of people are misreporting this (including the IAPP) – a DEAL has not been made, a deal *in principle* has been made – that is a very different thing and indicates that there is an understanding which could lead to an actual deal.

Furthermore, all indications at this point are that such a deal will be based on an Executive Order – executive orders are ephemeral (temporary) as any new President can undo EOs (Trump did it with Obama, Biden did it with Trump) – but what the CJEU requires are guarantees in law – which can only be achieved by an Act of Congress – and currently no such position is attainable (Congress is entirely too bipartisan at the moment to pass a law which limits the scope of US surveillance).

So even if this deal *in principle* does result in a real deal – it will not be enough to satisfy the CJEU and will almost definitely be rejected by the European Parliament and the EDPB – and of course will face a challenge in the CJEU.

I should also add that even if the Commission do adopt a new adequacy agreement – arguably if it is based on an EO, Supervisory Authorities will be required to circumvent it by forcing companies to suspend transfers as they have a legal obligation to do so if they believe there is not an essentially equivalent level of protection – even if there is an existing adequacy agreement (so do Controllers but we know most of them will ignore their legal obligations just as they currently do).

At best it will be a temporary bandaid which will just lead to the wound festering even further whilst once again the EU Commission undermine the rule of law (just as they did with Safe Harbour and Privacy Shield).