Will Biden’s New EU-US Data Privacy Framework Pass Legal Muster?

Posted on Oct 11, 2022 by Glyn Moody

President Biden hopes that it’s third time lucky for the new EU-US Data Privacy Framework (DPF), implemented last week with an Executive Order (EO) on “Enhancing Safeguards for the United States Signals Intelligence Activities”. The previous two attempts to regulate data flows across the Atlantic, principally from the EU to the US, were both struck down by the EU’s highest court, the Court of Justice of the European Union (CJEU). The Safe Harbor framework was thrown out in 2015, and the Privacy Shield followed in 2020.

Max Schrems, privacy expert and head of the NOYB – European Center for Digital Rights remains skeptical, as there might be at least two major problems that stand in the way of the DPF being adopted as is.

What’s Different with the New EU-US Data Privacy Framework?

The new DPF is meant to address the two key requirements laid down by the top EU court. First, the CJEU said US surveillance of EU citizens had to be proportionate within the meaning of Article 52 of the EU’s Charter of Fundamental Rights. As the White House fact sheet explains, the EO:

Adds further safeguards for U.S. signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.

The second problem was the lack of access to judicial redress for EU citizens who believed their personal data had been abused by US intelligence services. The DPF has introduced a significant change here by creating:

a multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated pursuant to the E.O., to obtain independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O.

The first layer consists of a new Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence, who will conduct an initial investigation of qualifying complaints received to determine whether the new enhanced safeguards or other applicable US law were violated and, if so, to determine the appropriate remediation.

The second layer consists of a new Data Protection Review Court (DPRC) to provide independent and binding review of the CLPO’s decisions. Judges on the DPRC will be appointed from outside the US Government, will have relevant experience in the fields of data privacy and national security, and will enjoy protections against removal.

The New Data Privacy Framework Has the European Comission’s Approval

In a Questions & Answers document on the new framework, the European Commission comments: “These are significant improvements compared to the Privacy Shield. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from EU will have to subscribe to.”

The document explains that the European Commission will now propose a draft “adequacy decision” – essentially giving its provisional blessing to the new framework – and launch an “adoption procedure”. This involves obtaining an opinion from the European Data Protection Board, which oversees the application of data protection rules throughout the European Union, and seeking the views of a committee of representatives of the EU Member States.

The European Commission is not obliged to follow recommendations from either group, and it seems almost certain that a final adequacy decision will be given in due course, probably early next year, regardless of their comments. After the CJEU’s rejection of previous frameworks, the European Commission is as keen as the US to come up with a replacement that will allow data transfers to take place without the need for alternatives such as standard contractual clauses, discussed on this blog last year.

Big Tech Is Eager for the EU-US DPF Framework

Unsurprisingly, major tech companies applauded the new DPF. The Reform Government Surveillance Group, which includes big names like Amazon, Apple, Google, Meta, and Microsoft, said in a statement:

The newly adopted safeguards as part of the EO will support EU-U.S. data flows, advance data privacy, and address concerns previously raised by the Court of Justice of the European Union (CJEU). We recognize and appreciate the effort of the U.S. Government in finalizing its implementation of the Framework.

However, others are not so pleased. BEUC, the umbrella group for 46 independent consumer organizations from 32 European countries, noted that the new DPF failed to offer any substantial improvements to the commercial use of personal data. It pointed out that there are fundamental differences in the level of privacy and data protection in the US and EU that remain unaddressed by the additional safeguards.

It’s Not Smooth Sailing Just Yet

Perhaps more problematic for the future of the DPF are the doubts of the privacy expert and campaigner Max Schrems. It was his legal actions that led to both Safe Harbor and Privacy Shield being struck down by the CJEU. He has two main concerns, and they are major ones.

First, that despite a promise of “proportionality”, the new EO will still allow “bulk surveillance”, which the CJEU ruled was not “proportionate”. Schrems adds that

(…) the EU and the US now agree on use of the word ‘proportionate’ but seem to disagree on the meaning of it. In the end, the CJEU’s definition will prevail – likely killing any EU decision again.

Max Schrems, founder of Noyb – the European Center for Digital Rights

The other problem that Schrems sees is that the new Data Protection Review Court is not a court in the legal sense of Article 47 of the EU’s Charter of Fundamental Rights. Schrems emphasizes: “The Charter has a clear requirement for ‘judicial redress’ – just renaming some complaints body a ‘court’ does not make it an actual court. The details of the procedure will also be relevant to see if this can satisfy EU law.”

Schrems says he and his team at Noyb will analyze the DPF documents in detail over the next few weeks. But he is clear about what will happen if he believes the new safeguards are inadequate: “If the Commission [adequacy] decision is not in line with EU law and the relevant CJEU judgments noyb will likely bring another challenge before the CJEU.”

That would take some years to work through the courts, but could ultimately see this third attempt to draw up a transatlantic data transfer framework thrown out, just like its predecessors. Fourth time lucky, perhaps…

Featured image created with Stable Diffusion.