EU gives its blessing to reopen data pipelines to the US
'We already have various legal options in the drawer,' says Max Schrems, lawyer who killed the first two deals
The European Commission has adopted an agreement with the US, reopening transatlantic data flows between America and EU nations as soon as the decision takes effect on July 11.
The EU-US Data Privacy Framework (DPF) is the third attempt between the trading bloc and the US to iron out privacy kinks in the flow of data about their citizens. This latest agreement marks the EU's determination that "the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework," the Commission said in a statement.
Key to today's decision [PDF] was an October executive order signed by US President Joe Biden that the Commission said adds new safeguards that address the problems raised with the second attempt at a transatlantic data agreement, Privacy Shield.
Among the changes singled out by the EC are limits to the access US intelligence agencies have to EU citizen's data "to what is necessary and proportionate," as well as the establishment of a new Data Protection Review Court (DPRC) in the US to which EU citizens would have access.
"Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values," said von der Leyen.
Third time's the charm?
Disagreement with the DPF in the wake of Biden's executive order last year has been nearly constant from EU representatives.
Privacy advocates said the DPF was unlikely to survive a court challenge shortly after the EU released its draft adequacy statement in December. Not long after, the European Parliament's civil liberties commission urged the EC not to sign the adequacy agreement because it didn't properly deal with Privacy Shield concerns.
- US vendor accused of violating GDPR by reputation-scoring EU citizens
- UK's proposed alt.GDPR will turn Britain into a 'test lab' for data harvesting
- First pushback against EU's Digital Services Act and it's not Google
- Euro Parliament green lights its AI safety, privacy law
In May, EU parliamentarians passed a resolution urging the EC to delay its adequacy decision because the Framework wasn't "future-proof," a position which was agreed to by a whopping 306 to 27 margin.
"They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like 'Privacy Shield', the latest agreement is not based on material changes, but on short-term ones political thinking," said Austrian lawyer and privacy activist Max Schrems of EU privacy advocacy group None of Your Business (noyb).
Privacy Shield, and the Safe Harbor rule it replaced, were both struck down due to legal challenges filed by Schrems. According to his group noyb, the long-awaited Schrems III case "will again end up before the European Court of Justice (ECJ) in a few months."
Schrems and noyb called out several issues in the DPF that they said make it "largely a copy of the failed 'Privacy Shield' agreement."
The data privacy court, it said, will do little to address privacy violations and is given the same latitude to issue non-answers as the Privacy Shield ombudsman, which it replaces. Schrems also has concerns about the use of the word "proportionate" in regard to US intelligence's access to EU citizen data, an issue that was raised as far back as October when Biden and von der Leyen agreed to the DPF's terms.
"The USA will give the word "proportional" a different meaning than the ECJ," noyb asserts, citing the fact that Biden's EO declares mass surveillance under FISA's Section 702 - which permits targeted, warrantless surveillance of non-US citizens - to be proportionate.
Section 702 of the FISA Amendments Act is also cited as a major reason why the DPF is inadequate, and while its renewal isn't a sure thing, noyb points out it'll remain in effect until at least the end of 2023. With DPF adequacy granted, "the EU has lost all leverage to seek [section 702] reform," Schrems said.
"There is consensus that FISA 702 violates fundamental rights … but the US continues to insist that foreign nationals in the US cannot [invoke] constitutional rights - therefore, from this point of view, violation of their right to privacy is not a problem," the group added.
"Various procedural options" for a new legal challenge have already been planned by noyb, which expects to bring one of its challenges to the ECJ once companies start making use of the DPF in the next few months. Noyb said it's "not unlikely" that a challenge is filed by the end of 2023 or in early 2024, giving the ECJ an opportunity to suspend the DPF until proceedings are closed, likely next year or in 2025.
"Just announcing that something is 'new', 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work - and we simply don't have it," Schrems said. ®