Mogen persoonsgegevens weer naar de VS?

May personal data go back to the US?

October 19, 2022

The blog article below (original from ICT Law) seemed super logical for us to share. As Analyst ICT, we think it's important to think carefully about where, and what happens to your data. As you have been able to follow in the news before, there is quite a bit going on about storing data in the US. Below is an overview of the latest developments.

On Oct. 7, 2022, U.S. President Biden issued a Executive Order signed as the next step toward establishing a successor to the EU-US Privacy Shield that was invalidated in 2020. This blog explains why there was a need to reach a new agreement, what exactly this Executive Order entails and what critical thinkers like Max Schrems think of such new mechanisms of transfer between the EU and the US.

Why an Executive Order?

In the Schrems II case, the Court of Justice of the European Union (the Court) invalidated the EU-US Privacy Shield. The Privacy Shield allowed organizations within the EU to transfer personal data to organizations in the United States. Parties could already join this if, based on a number of steps to be taken, they demonstrated compliance with some minimum requirements as we know them from the AVG. For example, drawing up a privacy statement.

The Privacy Shield was necessary because the General Data Protection Regulation (GDPR) prohibits transfers of personal data to individuals or organizations located outside the EEA, such as those in the US. Therefore, transfers are only allowed to countries with an adequate level of protection (the U.S. does not offer an adequate level of protection). Our blog EDPB's Recommendations for Personal Data Transfers to Third Countries explains how transfers of personal data to so-called third countries may still take place.

The Court found in the Schrems II case that the Privacy Shield could not guarantee sufficient protection. This was due to the fact that intelligence and security agencies in the U.S. have the right to access and use data of EU citizens in some cases. U.S. legislation that opens the door to this with a nice crack in practice takes precedence over EU legislation.

While that may feel strange to ‘us,’ such legal possibilities in the U.S. mostly stem from a different view of privacy, than we have here in the EU. Privacy in the EU is considered a fundamental right that applies to everyone. Under U.S. law, the idea of privacy protection is primarily reserved for U.S. citizens and permanent residents. Thanks to the nullity of the Privacy Shield, additional safeguards must be put in place to still be able to transfer data to the US. So now that red tape seems to be coming to an end. Or are we rejoicing too soon?

What does this new Executive Order entail?

By signing the Executive Order, Biden appears to be indicating that he respects the Court's previous rulings. Indeed, the Executive Order provides as follows:

Binding safeguards that ensure US intelligence agencies limit access to data to what is necessary and proportionate to protect national security;
A new independent and impartial appeals mechanism, including a new Data Protection Court (DPRC), which ensures that data access complaints will be investigated and resolved by U.S. security agencies;
Review of U.S. intelligence policies and procedures.

What does Schrems think of this new Executive Order?

Schrems, best known for his previous cases against the pass-through mechanisms with the U.S. and working at firm NOYB, seems for now - surprise surprise - not to like the Executive Order. In doing so, he indicates that the ‘new court’ being created is not a real court, because renaming a complaint body a ‘court’ does not actually make it a court as well. In it, Schrems also indicates that the core issues do not appear to have been resolved at first glance. Therefore, it appears that he is going to turn back to the Court. NOYB has further indicated that it will return in a few days with an in-depth analysis of the Executive Order.

There is definitely something to be said for Schrems‘ objections. Besides, of course, it remains to be seen how certain words like ’proportionate‘ and ’necessary" (part of the Executive Order) are going to be interpreted from the US perspective. Also, previous attempts to streamline US-EU transfers do not exactly offer much in the way of future prospects.

It seems the last word has not yet been said. Schrems still seems dissatisfied with the new Executive Order. Therefore, it is not wise to immediately see it as a life preserver to just return to full use of U.S. service providers. This follows from the uncertainty and costs involved in reversing that decision if the proposal is not going to make it or is shot down by Schrems and co. So indeed, let us not cheer too soon. In the meantime, DTIAs (Data Transfer Impact Assessments) remain mandatory when you start sharing data with organizations outside the EEA.

Source: ICT Law

If you have any questions or want to know how we have helped other customers with this please take a moment to contact with us.

Recent blogs

Blog

Apple 50 Years: 50 Years of Daring to Think Differently

This year, Apple celebrates its 50th anniversary. A milestone that cannot simply be overlooked. Because whether you are a fan or not: Apple has permanently changed the way we work, communicate, and create. At Analyst ICT, we are proud to be part of this ecosystem. As an Apple Technical Partner, we work daily with technology that is not only powerful but, above all, logical and pleasant to use. A different perspective on technology Apple has always distinguished itself by one simple conviction: technology should help people, not hinder them. No unnecessary complexity, but simplicity and ease of use. That aligns seamlessly...

Blog

Why saving passwords in your browser is not a good idea

The blog post below was created in response to a question during our engineering meeting. Every two weeks, we get together with all of our technical staff to discuss the latest developments in technology or with clients. Good client questions also arise during these meetings, such as this one. Time to do some research. Thank you, Wiebe! You've probably experienced this: you log in to a website, and your browser asks if it should remember your password. Convenient, fast, and you don't have to remember anything. However, there's a risk involved. In practice, we see that many security incidents start with something small. Like saving passwords…

Blog

Apple is taking a big step with Apple Business

Apple announced something special this week. Not a new device, but something that might be even more interesting for many organizations: Apple Business. A completely new platform with which Apple brings all its business services together in one environment. And frankly: this is a development that we at Analyst ICT are following with great interest. The problem: fragmented tools and unnecessary complexity Many organizations working with Apple will recognize the problem: Multiple portals (Apple Business Manager, Business Essentials, Connect) Different tools for management, branding, and support Additional costs for basic functionalities such as device management This leads to a lack of clarity and costs time. And…

May personal data go back to the US?

Why an Executive Order?

What does this new Executive Order entail?

What does Schrems think of this new Executive Order?

Recent blogs

Apple 50 Years: 50 Years of Daring to Think Differently

Why saving passwords in your browser is not a good idea

Apple is taking a big step with Apple Business

A newsletter

Superlogic right?

Contact

Direct to

About us

What we do