Skip to content

International – noyb publishes open letter on the future of EU-US data transfers

On 23 May 2022, the data privacy activist group ‘none of your business’ (noyb) published an open letter on the planned EU-US data transfer deal. 

The letter is addressed to the EU Commissioner for Justice, the US Secretary of Commerce, the EDPB Chair, the Chairman of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, and the Justice Advisor at the Permanent Representation of France to the EU.

The letter follows the announcement of an agreement in principle for a new Trans-Atlantic Data Privacy Framework (the TADPF), which noyb claims will largely “repeat” the previous EU-US Privacy Shield that was invalidated by the Court of Justice of the European Union (CJEU) in the landmark Schrems II decision. 

Whilst acknowledging that the text remains to be negotiated, the letter makes a number of observations and raises certain criticisms of the TADPF position that has been expressed to date. For example, noyb considers that:

  • the TADPF will rely on US executive orders, which it claims will be “structurally insufficient” to satisfy the CJEU’s requirements and may not allow data subjects to enforce limitations in court; 
  • replacing  the current Presidential Policy Directive 28 on Signals Intelligence Activities with an executive order referencing the “necessity and proportionality” of national security interests is no substitute for amending the law and a substantive change in approach to the proportionality of US surveillance practices;
  • proposals for a new Data Protection Court constitute the creation of an executive “body” (with limited independence) to deal with potential violations of US law and executive orders. noyb does not consider that this approach satisfies the requirement for an effective and independent means of judicial redress for EU data subjects;
  • the lack of updates to the previous Privacy Shield principles is problematic on the assertion that they refer to old law, do not reflect current elements of the GDPR (eg processing to be necessary and reliant to a legal basis, right of access) and more generally are not “essentially equivalent to the GDPR”; and
  • negotiators should look to protect rights to privacy and data protection irrespective of geographical location and citizenship, in contrast to the approach currently taken by the likes of FISA 702 and US executive orders (which refer to US/non-US persons), for example.

In the letter, noyb states that it is prepared to challenge any final adequacy decision that it considers to fail to provide the required legal certainty and warns the EU Commission against looking to buy “another couple of years” by agreeing to an arrangement that undermines CJEU judgments.

The noyb press release is available here and the noyb letter is available here

Related expertise