5. Data integrity and purpose limitation of personal data collection The new SCAs explicitly state that the data importer «must be able to demonstrate compliance with its obligations under these clauses». As mentioned in the previous subsection «Schrems II Compliance», the new CCTs also impose an obligation on the data importer to provide compliance documents to the competent supervisory authority upon request. However, the possible limitations of this approach could result from incongruity with other existing laws in the United States such as the Clarifying Lawful Overseas Use of Data Act or the CLOUD Act. 37 The CLOUD Act allows law enforcement agencies in the United States to force domestic technology companies to provide the information required by subpoena or warrant, regardless of where the information is stored.38 In the United States. The Ministry of Justice and the European Commission held discussions on agreements on the electronic exchange of evidence, stressing the need for a clear future demarcation of areas where diplomatic data immunity should include provisions on the exchange of information for the purpose of combating serious crime and terrorism or where there is a risk of being exploited by negative actors. 19 `Regulation (EU) 2016/679 of the European Parliament and of the Council of 27. April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). OJ No L, Vol. 119, 32016R0679, 4 May 2016, data.europa.eu/eli/reg/2016/679/oj/eng. «CCT» means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 of 4 June 2021 for the transfer of personal data to countries that are not otherwise recognised by the European Commission as an adequate level of protection of personal data (as amended and updated). To fill the void created by the 2015 decision, the United States and the European Union announced in 2016 the creation of a new Privacy Shield Framework between the European Union and the United States (and Switzerland). The new framework was designed by the Department of Commerce and the European Commission to help businesses in both jurisdictions comply with data protection requirements for the transfer of personal data in the course of commercial activities, and included new measures to address previous Safe Harbor concerns, as set out in the Privacy Shield information7.
One. If there is a transfer outside the EEA, clauses 3 and 4 apply to such a transfer. In the context of data exchange between the EU and the US, diplomatic data immunity could be a feature of the new agreement, which allows for the continued exchange of data between jurisdictions under the umbrella of national data protection. In practice, this would mean that a European Union citizen such as Max Schrems would continue to enjoy the same protection of his personal data, regardless of the jurisdiction in which the data has travelled, as well as a legal remedy before the European courts for any claim. While the concept may be difficult to implement and require agreements from the Department of Justice to uphold decisions, further research on the issue may be warranted given the opportunities to build strong data cooperation based on international relations. Under the Safe Harbor, U.S. organizations could certify annually to the Department of Commerce that they comply with the seven principles (notification, choice, data sharing, security, data integrity, access, and enforcement) and related requirements to meet EU privacy adequacy standards. Participation in the Safe Harbor was open to any organization regulated by the Federal Trade Commission (FTC) and the Department of Transportation. The FTC has committed to reviewing all reports from EU member state authorities regarding possible violations. 3. Responsibility for onward data transfer when data is sent to third parties 36 «What is data sovereignty? Everything you need to know. Permission.Io, August 11, 2020, permission.io/blog/data-sovereignty/.
Following the Schrems 1 decision, Max Schrems lodged his complaint with the Irish Data Protection Authority on the basis of Facebook Ireland`s stated use of Standard Contractual Clauses (SCCs) for data transfers to the US-based parent company8. The 2020 CJEU`s Schrems II decision overturned the standard business practices that companies had used under the Privacy Shield. Exacerbated by the previous Safe Harbor decision, the future of data transfer between the United States and the European Union is currently in a regulatory vacuum that puts the two jurisdictions at a crossroads. The EU-US Privacy Shield adequacy decision was adopted on 12 July 2016 and the Privacy Shield was put into effect on 1 August 2016. This framework protects the fundamental rights of all individuals in the EU whose personal data is transferred to the United States for commercial purposes. It allows the free transfer of data to companies certified under the Privacy Shield in the United States. Differences in circumstances and national interests show that there is a fundamental gap at the heart of the US-EU data transmission problem, which requires longer-term and more ambitious approaches to reshape cooperation and transfer. Four of these long-term proposals are outlined below to encourage more proactive approaches to transatlantic data relations and their future applications. The new CLAs contain two provisions that address the concerns of Schrems II.
First, the data importer must (a) ensure that local legislation does not affect its ability to comply with THE CLCs, and (b) document its analysis of local legislation in support of this safeguard. The data importer must provide these documents to the competent EU data protection authorities upon request. «Ex-EEA transfer» means a processing activity in which customers` personal data processed in accordance with the GDPR is transferred from the data exporter to the data importer (or its premises) outside the EEA and such transfer is not governed by an adequacy decision of the European Commission in accordance with the relevant provisions of the GDPR. The annexes to the new CCAs require much more detail than is required in the existing CCS. For example, the new SCCs require the inclusion of retention periods for personal data transferred from the EU, the identification of additional protection for sensitive personal data and a detailed description of the technical and administrative safeguards that the data importer applies to personal data transferred from the EU. .