Personvern: nivå på beskyttelse av persondata under EU-US Data Privacy Network
Kommisjonsbeslutning publisert i EU-tidende 20.9.2023. Omtale publisert av Helse- og omsorgsdepartementet 20.9.2023.
Nærmere omtale
BAKGRUNN (fra kommisjonsbeslutningen)
(1) Regulation (EU) 2016/679 sets out the rules for the transfer of personal data from controllers or processors in the Union to third countries and international organisations to the extent that such transfers fall within its scope of application. The rules on international data transfers are laid down in Chapter V of that Regulation. While the flow of personal data to and from countries outside the European Union is essential for the expansion of cross-border trade and international cooperation, the level of protection afforded to personal data in the Union must not be undermined by transfers to third countries or international organisations.
(2) Pursuant to Article 45(3) of Regulation (EU) 2016/679, the Commission may decide, by means of an implementing act, that a third country, a territory or one or more specified sectors within a third country, ensure(s) an adequate level of protection. Under this condition, transfers of personal data to a third country may take place without the need to obtain any further authorisation, as provided for in Article 45(1) and recital 103 of Regulation (EU) 2016/679.
(3) As specified in Article 45(2) of Regulation (EU) 2016/679, the adoption of an adequacy decision has to be based on a comprehensive analysis of the third country’s legal order, covering both the rules applicable to data importers and the limitations and safeguards as regards access to personal data by public authorities. In its assessment, the Commission has to determine whether the third country in question guarantees a level of protection ‘essentially equivalent’ to that ensured within the Union (recital 104 of Regulation (EU) 2016/679). Whether this is the case is to be assessed against Union legislation, notably Regulation (EU) 2016/679, as well as the case law of the Court of Justice of the European Union (the Court of Justice).
(4) As clarified by the Court of Justice in its judgment of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection Commissioner (Schrems), this does not require finding an identical level of protection. In particular, the means to which the third country in question has recourse for protecting personal data may differ from the ones employed in the Union, as long as they prove, in practice, effective for ensuring an adequate level of protection. The adequacy standard therefore does not require a point-to-point replication of Union rules. Rather, the test is whether, through the substance of privacy rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection. Furthermore, according to that judgment, when applying this standard, the Commission should notably assess whether the legal framework of the third country in question provides rules intended to limit interferences with the fundamental rights of the persons whose data is transferred from the Union, which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security, and provides effective legal protection against interferences of that kind. The ‘Adequacy Referential’ of the European Data Protection Board, which seeks to further clarify this standard, also provides guidance in this regard.
(5) The applicable standard with respect to such interference with the fundamental rights to privacy and data protection was further clarified by the Court of Justice in its judgment of 16 July 2020 in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II), which invalidated Commission Implementing Decision (EU) 2016/1250 on a previous transatlantic data flow framework, the EU-U.S. Privacy Shield (Privacy Shield). The Court of Justice considered that the limitations to the protection of personal data arising from U.S. domestic law on the access and use by U.S. public authorities of data transferred from the Union to the United States for national security purposes were not circumscribed in a way that satisfies requirements that are essentially equivalent to those under Union law, as regards the necessity and proportionality of such interferences with the right to data protection. The Court of Justice also considered that no cause of action was available before a body which offers the persons whose data was transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter on the right to an effective remedy.
(6) Following the Schrems II judgment, the Commission entered into talks with the U.S. government with a view to a possible new adequacy decision that would meet the requirements of Article 45(2) of Regulation (EU) 2016/679 as interpreted by the Court of Justice. As a result of these discussions, the United States on 7 October 2022 adopted Executive Order 14086 ‘Enhancing Safeguards for US Signals Intelligence Activities’ (EO 14086), which is complemented by a Regulation on the Data Protection Review Court issued by the U.S. Attorney General (AG Regulation) . In addition, the framework that applies to commercial entities processing data transferred from the Union under the present Decision – the ‘EU-U.S. Data Privacy Framework’ (EU-U.S. DPF or DPF) – has been updated.
(7) The Commission has carefully analysed U.S. law and practice, including EO 14086 and the AG Regulation. Based on the findings set out in recitals 9-200, the Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the Union to certified organisations in the United States.
(8) This Decision has the effect that personal data transfers from controllers and processors in the Union to certified organisations in the United States may take place without the need to obtain any further authorisation. It does not affect the direct application of Regulation (EU) 2016/679 to such organisations where the conditions regarding the territorial scope of that Regulation, laid down in its Article 3, are fulfilled.