This article is more than 1 year old
US executive order a long way from settling EU privacy cases
Expect more sequels than Rocky: Europeans' view of 'proportional' very different from US
Comment The Trans-Atlantic Data Privacy Framework agreement between the EU and the US is unlikely to settle the issue of sharing personal data between the two economic superpowers, as a set of court cases and legal challenges loom on the horizon.
US president Joe Biden signed an Executive Order on 7 October, directing the United States to implement its commitments under the European Union-US Data Privacy Framework announced by Biden and European Commission president von der Leyen in March of 2022.
The order, designed to ease the trans-Atlantic data flows underpinning the $7.1 trillion EU-US economic relationship, soon found its way into the crosshairs of Max Schrems, the campaigner and lawyer behind the "Schrems I and Schrems II rulings", the latter of which struck down the earlier Privacy Shield data sharing pact between the two trading blocs.
What the Europeans view as proportional is not shared by the US. To what extent do secret warrants need to be targeted?
While the Austrian lawyer said the new arrangement was unlikely to satisfy the demands of EU law, there was a number of issues to work through before the prospect of a Schrems III ruling scuppers the proposed arrangement.
To start with, as yet, there is no US law bringing the framework to life. An executive order can be overturned by a subsequent president, as former president Donald Trump did in 2017, shortly after he became the nominal leader of the free world.
The Data Privacy and Protection Act, introduced in the House of Representatives on June 21, might be such an opportunity. But the path of the proposals through the US legislature seem far from clear. It has yet to advance to a full vote in the House and Speaker Nancy Pelosi has said she does not support the bill in its current form.
What is Schrems I?
In the first case, arising from a complaint filed with the Irish Data Protection Commissioner in 2011, privacy activist Max Schrems ultimately toppled the biggest EU-US data-sharing deal, Safe Harbor.
Schrems had alleged that Meta, then known as Facebook, had violated the so-called Safe Harbor agreement which protects EU citizens' privacy, by transferring its users' data to the US National Security Agency (NSA).
In the Schrems I ruling, in 2015, Europe’s highest court ruled that data sharing between the EU and US under the Safe Harbor framework was invalid.
What is Schrems II?
Schrems brought the latest edition of the long-running case (informally known as Schrems II) in 2015, complaining that Ireland's data protection agency still wasn't preventing Facebook Ireland Ltd (as EU representative of Zuckerberg's Meta empire) from beaming his data to the US under Privacy Shield.
In July 2020, the EU Court of Justice struck down the so-called Privacy Shield data protection arrangements between the political bloc and the US.
Hang on... Are we at Schrems III already?
Meanwhile, before we get to Schrems III, it's worth noting that we're not yet done with Schrems II.
Ireland’s Data Protection Commission has yet to publish its decision in the large-scale enquiry into data sharing by Meta, the social media giant at the centre of the Schrems II. The DPC is expected to describe sanctions the company could face.
In consultation with other EU data protection authorities, the DPC submitted a draft decision earlier this year, which included proposals to block Meta's transfers of personal data from the EU to the United States.
But even after the final report is released, the outcome is likely to be challenged given the new executive order from the Biden administration following the EU-US agreement, said Bill Mew, chair of the cyber working group for the International Association of Risk and Crisis Communication (IARCC).
"We may see an announcement in a few months' time to say that Facebook is banned in Europe, or we may see Facebook given six or 12 months to get its act together. But almost inevitably, based on this executive order, we're going to see Facebook complain that the ground has moved under its feet and everything's now hunky dory," he said.
"Given the facts there will be a clash between whatever the final Facebook reports from the DPC [show] and the interpretation of this executive order; you're bound to have some sort of return to court to thrash it out," Mew said.
In terms of the executive order itself, the debate is set to hinge on interpretation of the language and what it means in law either side of the Atlantic.
The Executive Order promises safeguards in terms of the use of personal data for intelligence activities, including that the activities will be conducted "only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority." It is the idea of proportionality which is open to interpretation.
- Business can't make employees submit to video surveillance: Dutch court
- Brexit dividend? 'Newly independent' UK will be world's 'data hub', claims digital minister
- Instagram fined in Ireland for violating children's privacy
- Privacy Shield binned after EU court rules transatlantic data protection arrangements 'inadequate'
- Oracle planning sovereign cloud regions for the EU
"What the Europeans view as proportional is not shared by the US. To what extent do secret warrants need to be targeted? Or can there be a fairly broad brush approach that fairly comprehensive mass surveillance is going on the whole time? It's a bit of a pretence for politicians to start talking about proportionality when what they mean is very, very different from what was outlined in the Schrems II case," Mew said.
The view echoes that of Max Schrems himself, who posted a statement last week which said the EU and the US seem to disagree on what the meaning of "proportionate" might mean. "In the end, the Court of Justice of the European Union definition will prevail – likely killing any EU decision again. The European Commission is again turning a blind eye on US law, to allow continued spying on Europeans."
Meanwhile, US-based International Center for Law & Economics welcomed the executive order, but said further litigation was "all-but-certain."
Whether we get to Schrems III or not, the legal cases over personal data sharing between two of the world's largest economies seem far from over. ®