In recent years, the issue of data transfer between the European Union and the United States has become a hot topic, as concerns over privacy and data protection continue to grow. With the rise of big data and the increasing globalization of the digital economy, the transfer of personal data across borders has become a crucial issue that needs to be addressed.
In March 2022, the European Commission and the President of the US announced that they had reached an agreement on a new Data Protection Framework. Under the agreement, the data flow will be free and continuous between the EU and US companies, with access by US intelligence agencies limited to what is necessary and proportionate.
The elements of the above agreement were put into a binding legal form on 7 October 2022 (Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities). The Order states that the protection of privacy and civil liberties shall be an integral part of the work of the secret services, and therefore restricts their access to EU data while obliging them to review the principles and procedures governing their activities. Thereafter, secret services will only be authorised to carry out certain activities if it is determined, on the basis of a "reasonable assessment of all relevant factors", that the activities are necessary to achieve the objectives.
There is also a requirement of proportionality and the expectation that such activities should only be carried out to achieve specific national security objectives, such as combating espionage and terrorism, international crime or cybercrime. The list may be expanded by the US President. Prohibited purposes are also listed in the Order, which include suppression of free speech and restriction of the right to legal protection, as well as providing American companies with an economic advantage by using the collected data and trade secrets. The Order states that targeted collection should be preferred, and mass collection of data should only be authorised by the leaders of the intelligence agency if the targeted collection is unlikely to lead to results. A two-tier appeal system has also been set up, with a separate court. The new framework, like its predecessors, will build on companies' self-certification-based compliance, with strong data protection obligations.
The European Commission is preparing a new adequacy decision to give legal recognition to the above, in which the recent opinion of the European Data Protection Board, issued in February 2023, will play a key role. The Board has acknowledged that there had been substantial progress on the restrictions in the Order but expects intelligence agencies to update their procedures and data protection policies in line with the new rules. The Board expresses concern about the continued possibility of mass collection and certain conceptual ambiguities and calls for further clarification on the rights of data subjects, in particular on the exercise of access and objection, and for tighter regulation of data transfers between intelligence agencies.