A new data-sharing deal has been struck between the EU and the US, which aims to ease concerns over EU citizen data being shared with US intelligence agencies. European privacy campaigners plan to challenge the deal, saying it isn’t different enough to previous attempts which have been shot down by the European Courts of Justice. But the latest may turn out to actually be more robust than its predecessors, depending on how complaints are handled by the US.
The new agreement, referred to as the EU-US Data Privacy Framework, is the latest attempt to secure a data adequacy deal between the European Union and the US. It follows previous failed attempts like Safe Harbour and the Privacy Shield which were introduced over the past two decades. Both were thrown out in court because data in the US is not protected in a way that complies with Europe’s GDPR. Privacy campaigner Max Schrems, who brought both successful lawsuits against the agreement’s predecessors, says this new attempt is no different.
The new EU-US Data Privacy Framework introduces the right for Europeans to object if they suspect their data has been collected by a US intelligence agency through a new Data Protection Review Court made up of US judges. It’s designed to hear those claims and objections to data capture. In return US tech giants such as Meta, Google and Amazon will be able to continue processing EU data through US servers.
As part of the agreement, the EU has granted the US data adequacy, which allows for personal data to be transferred between EU and US companies more freely. This is because it ensures the same level of protection for EU citizen data while in the US as it enjoys in the EU. It was formalised after President Joe Biden signed an executive order to enhance safeguards on US intelligence activities. The lack of protection from US intelligence agencies was one of the stumbling blocks that saw previous iterations thrown out by the EU Court of Justice.
Schrems says the executive order doesn’t go far enough to ensure the protection of EU citizen data. “We now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’ – but no substantial change in US surveillance law,” he said. “Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have it.”
EU justice chief Didier Reynders says the EU is confident of fending off any legal challenge to the latest adequacy agreement. “The principles of the data privacy framework are solid, and I am convinced that we have made significant progress which meets the requirements of the European Court of Justice case law,” he said yesterday when the deal was announced.
Necessary and proportionate use of data
Under the new agreement US intelligence services will only have access to data that is “necessary and proportionate” and includes other improvements such as the ability of the new data review court to order a US agency to delete data it finds is held in violation of the agreement. EU President Ursula von der Leyen says the agreement will ensure safe data flows for Europeans and bring legal certainty to both EU and US companies handling data.
US companies can join the new framework by committing to comply with a set of privacy obligations that include the requirement to delete personal data when no longer necessary for the purpose it was collected. It also has to ensure continuity of protection if the data is shared with third parties.
Julia Kaufmann, IT and data partner at international legal practice Osborne Clarke, said the changes should be enough to satisfy the EU Courts of Justice. This is based on an assessment of US law and practice, in particular, the new executive order (EO 14086) signed by President Biden to provide redress for data misuse. “In my view, EO 14086 has significantly changed the rights for EU individuals regarding their personal data,” she says. “The principle of proportionality has been implemented into US law for governmental access and the redress mechanism for EU individuals provides now for an avenue to an impartial tribunal, the Data Protection Review Court.”
Kaufmann says the question isn’t whether all the rights under a constitution apply to non-citizens, it is whether the laws and practices in a third country are adequate from an EU perspective. “Of course, what we do not know at this point is whether the actual practice in the US will follow the laws,” she explains. ”That is something the EU Commission will need to monitor. Moreover, the EU Commission has determined that after one year it will re-evaluate, and if needed suspend, the adequacy decision. I believe there is a lot of pressure on the US to live up to the promises it has made in the EO 14086 in practice.”
Rohan Massey, head of Ropes and Gray’s data, privacy and cybersecurity practice says companies will welcome the new framework, and even if it is eventually shut down by the courts, “at this point clarity, even in the short term, will be welcomed by any organisation engaged with transatlantic data transfers”.
Last month the UK and the US reached a commitment to create a “data bridge” between the two countries. The in-principle commitment will see an extension to the Data Privacy Framework that would allow US companies to receive UK personal data more freely. This would remove the burden on businesses having to comply with contract clauses, making it easier for companies to trade internationally.