Third Time Lucky for Transatlantic Data Transfer Framework? Max Schrems Doesn’t Think So

The European Commission has just adopted a new “adequacy” decision to keep personal data flowing between the EU and the US. The stakes are high: according to the Commission, data flows underpin nearly one trillion euros in cross-border commerce each year. Under the EU’s General Data Protection Regulation (GDPR), personal data may not be transferred from the EU to another country unless the latter’s privacy protections are “adequate” – which means roughly equivalent to those provided by the GDPR. Without an appropriate framework, those data flows would be illegal, and any company making them would be at risk of legal sanctions.

Drawing up a data transfer framework between the EU and the US that provides adequate privacy protections is proving extremely difficult. As we wrote last year, the previous two attempts to regulate data flows across the Atlantic, principally from the EU to the US, were both struck down by the EU’s highest court, the Court of Justice of the European Union (CJEU). The Safe Harbor framework was thrown out in 2015, and the Privacy Shield followed in 2020.

The underlying problem is the US surveillance revealed by Edward Snowden in 2013. The US wants to carrying on spying for reasons of national security, but the GDPR says that EU personal data must be protected from (most) spying in the US. The new Data Privacy Framework is an attempt to reconcile these two things. Central to that is a new Executive Order issued by President Biden on “Enhancing Safeguards for the United States Signals Intelligence Activities.” Just recently, the Office of the Director of National Intelligence released the US intelligence community policies and procedures to implement the privacy and civil liberties safeguards specified in the Executive Order (EO).

When the EO was released last year, groups like BEUC, the umbrella group for 46 independent consumer organizations from 32 European countries, pointed out that there were fundamental differences in the level of privacy and data protection in the US and EU that remained unaddressed by the additional safeguards.

Since then, two important EU bodies have offered their views. The European Data Protection Board (EDPB) oversees implementation of the GDPR, and expressed its concerns about the new framework, regarding “certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism.” The European Parliament was even more doubtful that it would work. In a resolution passed in May, the European Parliament found:

that the EU-US Data Privacy Framework fails to create essential equivalence in the level of protection; calls on the [European] Commission to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the CJEU; calls on the Commission not to adopt the adequacy finding until all the recommendations made in this resolution and the EDPB opinion are fully implemented;

It was worried that the Data Privacy Framework in its current form would be challenged before the CJEU, leading to yet more uncertainty for businesses that must depend on it to ensure their transatlantic transfers are permitted. That seems certain, because the person who brought down the two previous frameworks – Max Schrems – has already said that is precisely what he intends to do with his organisation:

We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong [after the previous successful challenges]. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it.

Like BEUC, the EDPB, and the European Parliament, Schrems believes that the new EU-US Data Privacy Framework lacks the necessary privacy protections for EU citizens. In his commentary on the new framework, which explains in more detail why he believes it to be unsatisfactory, Schrems says:

Overall the new “Trans-Atlantic Data Privacy Framework” is a copy of Privacy Shield (from 2016), which in turn was a copy of “Safe Harbor” (from 2000). Given that this approach has failed twice before, there was no legal basis for the change of course – the only logic of having a deal was political.

The many – and successful – legal actions that Schrems and his organization have brought mean that it is likely that he will indeed go ahead and mount this new challenge. Moreover, his impressive track record of overturning the past frameworks – and winning other crucial privacy battles at the CJEU, discussed on PIA blog over the years – means that his opinion that the latest approach will also fall deserves to be taken seriously.

The ramifications of such a third failure would be wide. It would mean that many companies transferring personal EU data across the Atlantic would need to find another approach, for example by storing all relevant personal data within the EU. That’s something companies have resisted doing, but soon they may not have much choice. This argument over what constitutes adequate privacy protection in the US has been going on for nearly a decade, but it is not over yet. And with a trillion euros of data flows at stake, it could hardly be more significant for US and EU companies.

Featured image created with Stable Diffusion.