Since the Schrems-II decision came along, businesses on both sides of the Atlantic have faced several challenges while trying to ensure the adequacy of their transferring safeguards.
Here's how the new framework differs from the previous mechanisms:
After lengthy negotiations, this executive order addresses the two main concerns raised in the Schrems-II ruling: proportionality and redress. In a nutshell, the ruling puts in place mandates where data collection must be carried out proportionately while respecting people's privacy.
So, will the 3rd time do the charm?
To achieve the set goals, the US plans to create a court with independent judges and put in place Civil Liberties Protection Officer who will oversee the executive order and prosecute any violations.
However, according to first reaction article on the NOYB website, Max Schrems is not too optimistic about the new framework. His criticism is twofold. First, in his view, the core issues have not been addressed since the ruling is unlikely to change how the US intelligence agencies operate. Second, the Data Protection Review Court is too closely connected to the US government, which clearly undermines its independence.
While it seems like a big step, Max Schrems has indicated that the Executive Order is most likely to end up once again in the courtroom. Now, it's just a waiting game.
Regardless of the success of the US Executive Order – or of the outcome of a potential Schrems-III – the past years have shown the importance of building redundancies. In that regard, it is clear that having different and robust safeguards that can tackle the specific needs of different processing activities is of great added value.
This is why the EU Cloud CoC General Assembly continues to work on an additional module to tackle international data transfers. We firmly believe that codes of conduct, as one of the mechanisms put forward by GDPR to address international data transfers, has a unique potential to create adequate sectoral safeguards.
On a last note, the EU Cloud CoC Third County Module plans to address personal data flows to any country beyond the EU boarders. Such a comprehensive approach is particularly beneficial for the cloud industry.
To learn more about the initiative click here.