Through the GDPR, the member states of the EU and the EEA countries ensure equivalent protection for personal data which is why personal data within this area can be transferred freely. Transfers of personal data to a country outside the EU/EEA area, such as the U.S., are only permitted under the General Data Protection Regulation (GDPR) under certain conditions, including if the EU Commission has decided that the country in question ensures an adequate level of protection. The EU Commission has previously adopted two such decisions for the U.S., based on Safe Harbour and Privacy Shield. Those decisions were, however, struck down by the Court of Justice of the European Union (CJEU) in Schrems I and II since the CJEU did not consider that the U.S. could ensure an adequate level of protection for personal data that was transferred from the EU to the U.S. In July 2023, the EU Commission announced that it had once again adopted an adequacy decision for the U.S. meaning that personal data can now flow freely from the EU to companies and organizations in the U.S. certified under the EU-US Data Protection Framework (EU-US DPF). The adequacy decision followed a presidential order signed by U.S. President Biden in October 2022, which introduced new security measures intended to remedy the problems identified by the CJEU in Schrems I and II. On the one hand, the US intelligence agencies’ access to personal data is limited to what is proportionate. On the other hand, a data protection court is established. The purpose of this essay is to examine whether the changes that the presidential order has given rise to has changed the legal situation after Schrems II in such a way that the U.S. can now be considered to ensure an adequate level of protection for personal data that is being transferred from the EU to the U.S. By analyzing the EU-US DPF against the background of the jurisprudence of the CJEU and the European Court of Justice, I find that this is not the case. The U.S. intelligence agencies’ use of and access to EU citizens’ personal data is still not limited to what is proportionate and EU citizens whose personal data is processed still do not have access to an effective remedy to challenge surveillance measures. Thus, the new adequacy decision for the U.S. is likely to be struck down by the CJEU in the coming years. The consequences of such an invalidation are examined to some extent in this essay, particularly in relation to other transfer mechanisms in Chapter V of the GDPR, namely standard contractual clauses and binding corporate rules.
| Identifer | oai:union.ndltd.org:UPSALLA1/oai:DiVA.org:uu-522292 |
| Date | January 2023 |
| Creators | Bjerselius, Nathalie |
| Publisher | Uppsala universitet, Juridiska institutionen |
| Source Sets | DiVA Archive at Upsalla University |
| Language | Swedish |
| Detected Language | English |
| Type | Student thesis, info:eu-repo/semantics/bachelorThesis, text |
| Format | application/pdf |
| Rights | info:eu-repo/semantics/openAccess |
Page generated in 0.0023 seconds