Executive Order on US-EU Data Transfers: Challenges and Opportunities

$7.1 trillion US / EU economic President Biden s Executive Order on International Data Transfers between the US and the EU: Challenges and opportunities relationship Seminar at Seminar at Universidad Universidad CEU San Pablo CEU San Pablo Madrid, Madrid, Monday, 28 November 2022 Monday, 28 November 2022 Georgios N. Yannopoulos Associate Professor, School of Law, National & Kapodistrian University of Athens Director, Laboratory of Law & Informatics gyannop@law.uoa.gr

Prescribed by Law & DPIA conducted (63 L.4686/2020) Ministry Controller Platform Processor HDPA Violation of e-Privacy (2002/58)? (HDPA 50/2021) to gain access to information stored in the terminal equipment only allowed with clear and comprehensive information (Dir. 95/46/EC), . This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user [5 3] Tele-education in Greece: uncertainty caused by Schrems II (?) Not HCSC, but HDPA & traffic data [6 4] & billing info 2 gyannop@law.uoa.gr

Host name Session IP address Start End Registration info alpha 123.168.2.2 20201109 09:00 20201109 09:45 XXXX User generated data Only within EU Billing Data US bravo 123.168.1.1 20201109 11:00 20201109 11:15 YYYY 168.123.1.1 Host name / Session IP address / start-end time / registration info Analytics US Aggregated communication data Sub-contractors (cloud) bound by art. 28 GDPR rules charlie 20201109 11:18 20201109 11:55 ZZZZ gyannop@law.uoa.gr 3

Ministry reprimanted and platform asked to conduct DTIA Transfers to US: reassurances of the Platform (Exporter?): Not based on Privacy Shield 1.0 (Schrems II) SCCs & BCRs as per EDPB guidelines (2010/87/13.3.2020) US Authorities had never requested disclosure of such data RE: Schrems II & Foreign Intelligence Surveillance Act (FISA) Illegal Transfers? Post Schrems II actions Reports & Internal Policy on Government Data Access Exporter (?) Data Transfer Impact Assessment (DTIA) EDPB Rec 1/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data Technical measures (encryption, transparency, reports etc.) Followed EU Cloud CoC New SCCs (2021/914/27.6.2021) New HDPA decision confirming the Ministry s compliance 4 gyannop@law.uoa.gr

Strengthened privacy and civil liberties safeguards governing U.S. signals intelligence activities; a defined national security objective Enhanced oversight of signal intelligence activities; Policies & procedures A necessary and proportionate test in line with Article 52 CFR is implemented Two-tier redress mechanism for citizens of qualifying states : i. Civil Liberties Protection Officer ("CLPO"): ii. Data Protection Review Court ("DPRC ) Submission of a draft adequacy decision by the EU Commission (pending ) The EO 7-OCT-2022 Key Provisions 5 gyannop@law.uoa.gr

The European Commission thinks that the CJEU will not strike down the agreement again 1) Who is the exporter The EO Practical concerns 2) What mechanism until the adequacy decision? 3) If 46 3 (a) to (f) GDPR Yes, but SCCs / DTIA / challenges ! 6 gyannop@law.uoa.gr

Does it address all Schrems II concerns? Will the EO system be effective (for free flows)? Will US Agencies understand EU proportionality? Amendments to the U.S. statutory law required to ensure that surveillance proportionate . The DPRC (contrary to the name) not a Court (executive body with limited independence) Will organisations meet their obligations? The EO EU scepticism v. US attitude is necessary and What kind of data? If serious NOT soft law If NOT why regulate Level of danger (see AiA) Relativity of DP 7 gyannop@law.uoa.gr

What next? What next? Compliance: Mission Impossible 8 gyannop@law.uoa.gr