The United States is once again a “trusted” digital trade partner in the eyes of the European Commission, clearing the way for EU-US data transfers to resume. Questions loom about how long that will be the case for, however, with privacy crusader Max Schrems expected to file a complaint by the end of August.
EU-US data transfer greenlit, but challenges are coming
Justice Commissioner Didier Reynders told the media that the new EU-US data transfer framework is “substantially different” from the prior Privacy Shield arrangement. However, privacy advocates like Schrems have been quick to point out shortcomings. This is also the view of some key components of the EU regulatory process, including the European Parliament and the European Data Protection Board (EDPB).
Complaints filed by Schrems undid the prior two EU-US data transfer agreements, and he and his advocacy group “noyb” are expected to immediately be at the forefront of a new court case. The prior challenges took years to unfold, but legal analysts believe that new challenges will pass through the system much more quickly due to the prior establishment of precedent. In terms of a rough time frame, Schrems has already announced his intention to file a complaint by the end of August, with the expectation that the case will be before the European Court of Justice sometime in early 2024.
Schrems’ position is that any EU-US data transfer agreement is untenable until the US changes federal law to curtail government access to foreign data that crosses its borders. While privacy equivalency with the protections that the General Data Protection Regulation (GDPR) guarantees has been used as a benchmark in these cases (and in adequacy decisions for other countries), this particular story dates back to years before the GDPR was implemented, all the way back to the Edward Snowden leaks of 2013.
The leaks revealed that the NSA and other agencies helped themselves to internet data crossing the US borders and involving foreign subjects, essentially establishing that EU residents have no expectation of privacy when companies send their data to servers in the US. In 2015, Schrems successfully made the argument that Facebook was thus in breach of the then-existing Safe Harbor EU-US data transfer scheme as it required “adequate protection” for such personal data. The Schrems II decision in 2020 invalidated the follow-up Privacy Shield agreement on similar grounds, this time specifically invoking GDPR requirements that had gone legally active in 2018.
The EU-US data transfer decision at least grants a reprieve for big tech platforms that are built on targeted advertising such as Meta and Google, which are already under regulatory fire on multiple fronts. After a Irish DPC decision on the security of Meta’s international transfers went sideways on the company in June, the social media giant began making rumblings about pulling its services out of Europe if a new framework was not settled by October.
Will the new EU-US data transfer hold up?
The EDPB has a fairly even-handed position on the new EU-US data transfer framework, noting that it shows “substantial improvement” but that it also contains legal holes that may not meet strict regulatory terms that have been tightened by these prior court decisions. The Biden administration’s new Executive Order 14086 does put “necessity and proportionality” restrictions on what intelligence agencies can now pull out of foreign internet traffic, and EU residents now have some visibility and redress in terms of US data access.
However, the EDPB also notes points of concern that remain, such as a lack of fully independent review of such data collection on the US side and whether data subjects have enough right of access to their personal information to satisfy GDPR requirements. The European Parliament has formally opposed the new framework on similar grounds, citing lack of necessary GDPR protections and inadequate control of indiscriminate bulk data collection.
Legal analysis of the issue varies, but there is substantial sentiment that Schrems will win a third victory and the issue will be back to square one sometime in 2024. Ani Chaudhuri, CEO of Dasera, articulates this view: “Firstly, let’s agree on this: data is the backbone of the modern economy. The absence of this agreement would have created a tumultuous environment for multinational businesses that rely heavily on data flows. However, this pact is a band-aid on a festering wound. It replaces the invalidated Privacy Shield but maintains many of its predecessor’s shortcomings. Why? Because, at its core, the Framework assumes trust between EU citizens and American intelligence agencies. It assumes a complaint-based system backed by an independent review body would provide adequate redress. But let’s be real: how many Europeans would feel comfortable voicing their concerns, let alone feel confident that their complaint would be handled fairly and impartially?”
“The primary question, as Schrems rightfully posits, is whether changes in US surveillance law can genuinely ensure Europeans’ privacy rights. I would argue that the answer is, as it stands, “no.” The issues run deeper than policy alone. The EU-US Data Privacy Framework marks a step forward but doesn’t necessarily solve the problem. The elephant in the room remains the balance between privacy rights and national security concerns,” noted Chaudhuri.
David Dumont, Partner at Hunton Andrews Kurth, takes a more optimistic view of the framework’s long-term chances: “The European Commission seems to be convinced that the new transatlantic data transfer framework will adequately address Schrems II issues and that the new adequacy decision will likely survive a challenge in the Court of Justice of the European Union, which will be asked to assess whether the new safeguards laid down in the Framework are sufficient to be considered essentially equivalent to the safeguards in the EU. Simultaneously, the EU Commission has reviewed the Executive Order with the Schrems II judgment, so in theory the adequacy decision should address all of the issues and concerns raised in the judgment. In light of this, it is less likely that any further challenge would be successful.”
“People have somewhat lost patience with the issue, and organizations are looking for legal certainty and reassurance that they can rely on the decision once confirmed. If the new adequacy decision would, once again, be struck down by the CJEU, organisations may lose faith in the feasibility of a successful EU-U.S. data transfer framework and turn to EU Standard Contractual Clauses as their sole and permanent solution to legitimize data transfers to the States,” noted Dumont.
It is possible that the CJEU could suspend the framework while it is reviewed, meaning that it could very well be in place for less than a year. Since 2020 companies have been getting by primarily with Standard Contractual Clauses (SCCs) for EU-US data transfers, which are still allowed but are subject to stricter scrutiny under a new set of rules that was first rolled out in June 2021 and then updated again in December 2022.
