TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | DPC 2022: EU-US Data Privacy Framework on track, Schrems challenge to come Related reading: Data transfers: Could a technical solution be the future?




Well-known and influential names entrenched in the ongoing discussions around EU-U.S. data flows made their presence felt in back-to-back breakout sessions to cap off the final day of the IAPP Europe Data Protection Congress in Brussels, Belgium.

EU and U.S. government officials took the stage focused on further touting and cementing the pending EU-U.S. Data Privacy Framework's workability. NOYB Honorary Chairman Max Schrems threw cold water on those notions, all but announcing he will attempt to raise a potential "Schrems III" challenge to the Court of Justice to the European Union.

The DPF and subsequent draft adequacy process were spurred by the U.S. executive order from October mandating new legal safeguards over U.S. national security agencies' access and use of EU and U.S. personal data. The order was in response to the CJEU's invalidation of the EU-U.S. Privacy Shield program and stemmed by Schrems' second successful court challenge of an EU-U.S. data transfer agreement.

Taking the DPC stage first, Schrems said he could "rather quickly" get a case to the CJEU through an injunction he plans to raise, which would bring "a stay … that would basically freeze the (European) Commission's decision." While noting a freeze is unlikely to be accepted by the CJEU, Schrems said it is one expedited avenue to force the EU and the U.S. to abandon their proposed agreement and try to arrive at one with "legal certainty."

Schrems listed four red flags discovered in his and NOYB's analysis that merit challenging the framework if it's finalized. The proposed Data Protection Review Court that would be established by the U.S. Department of Justice is top of mind for Schrems, who downplayed the validity of the court.

"I think (the proposed redress system) is an upgrade, but it's still going to be very hard for the CJEU to look at that and say that is a court under Article 47 (of the EU Charter of Fundamental Rights)," Schrems said, adding that appointment of DPRC judges would also not meet Article 47 requirements.

Schrems made his remarks just before U.S. Privacy Shield Director Alex Greenstein and European Commission Head of International Data Flows and Protection Bruno Gencarelli took the stage. But Gencarelli took time to push back against the alleged shortcomings with redress.

"This is significantly different, even recognized by the most critical voices, from what we had before," Gencarelli said, describing the independency of the court and its access to relevant information to render its binding decisions on access claims. "It's a framework that has many pieces and we're bringing all these pieces together."

Another big topic raised during Greenstein and Gencarelli's session was the timeline for completing the adequacy process. Gencarelli confirmed the six-month target for finalization is accurate but no hard finish line has been established given the magnitude and importance of the undertaking.

"How long this process will take will depend very much on the different interactions we have to have with our institutional interlocuters," Gencarelli said. "With recent adequacy decisions, it took about four to six months. I'm sure there will be lively discussion ... and this is important for (involved parties), so they'll probably (finish) sometime in the spring of next year."

Gencarelli and Greenstein both alluded to "implementation work" on the U.S. side once the agreement is reached. Greenstein indicated the "preparatory work" for implementing U.S. commitments while packaging documents for the European Commission to use "to form the basis to do the draft adequacy decision."

Of great interest to privacy professionals was how or whether to prepare for finalization of the framework and new obligations. At the IAPP Privacy. Security. Risk. 2022 in October, Greenstein said guidance for the transitioning from Privacy Shield to DPF was being developed. There were no updates on forthcoming guidance at DPC besides further reassurance from Greenstein that companies will soon receive assistance.

"Companies should not change their privacy (notices) right now, but we are committed to working to make a seamless transition," Greenstein said. "They will have to sort of make some updates, but they're sort of substantive. The subset of commercial elements to it will likely not change."

Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.