US president Joe Biden today signed an executive order on new rules to govern data transfers between the European Union and the US. The new rules aim to safeguard European citizens’ data from being accessed by third parties, but privacy campaigners are dubious that the agreement is compatible with the EU’s General Data Protection Regulations (GDPR).
President Biden signed the executive order this afternoon, confirming that the Data Privacy Framework will be implemented. “US and EU companies large and small across all sectors of the economy rely upon cross-border data flows to participate in the digital economy and expand economic opportunities,” a statement from the White House said. “The EU-US DPF represents the culmination of a joint effort by the United States and the European Commission to restore trust and stability to transatlantic data flows and reflects the strength of the enduring EU-US relationship based on our shared values.”
Why do we need Trans-Atlantic Data Privacy Framework?
The Data Privacy Framework was announced in March after talks between the EU and the US government that culminated during a visit to Brussels by Biden. Announcing the agreement, the president said it would “once again authorise transatlantic data flows that help facilitate $7.1trn in economic relationships”.
Two previous versions of the data transfer agreement, known as Safe Harbour and Privacy Shield, have been invalidated by decisions of the European Court. The most recent decision, in 2020, came after action was brought by privacy campaigner Max Schrems. The ruling in what became known as the Schrems II case declared the Privacy Shield was not compatible with Europe’s general data protection regulations (GDPR). This is because US law allows its government to requisition client data from companies on national security grounds, something which is prohibited under GDPR.
Since the ruling, transatlantic data transfers have continued using a legal instrument known as standard contractual clauses (SCCs), which wasn’t invalidated by the Schrems II judgement. These apply more stringent controls on how information is processed, and they were updated by the EU last year. Though they’ve been in use for two years, the legitimacy of this method has yet to be tested in court.
What’s in the new Data Privacy Framework?
The White House says the new Data Privacy Framework puts safeguards in place around the requisition of data by intelligence agencies, meaning this can only happen in “pursuit of defined national security objectives”, and “only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority”.
It mandates handling requirements for personal information collected through intelligence activities and “extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance”.
The US intelligence community will need to update elements of its policies and procedures to reflect the new privacy and civil liberties safeguards contained in the executive order, while an independent mechanism will be created for citizens to challenge how their data has been collected and accessed. The US Attorney General is instructed to set up this Data Protection Review Court as part of the order.
Will the EU-US Data Privacy Framework face legal challenges?
Campaigners are not convinced that the wording of the agreement is legal. Privacy rights group Noyb.eu says the differing definitions of “necessary” and “proportionate” in European and US law mean that the agreement would still allow the US to conduct bulk surveillance activities on European data.
“It seems, the EU and the US agreed to copy the words ‘necessary’ and ‘proportionate’ into the Executive Order, but did not agree that it will have the same legal meaning,” the group said. “If it would have the same meaning, the US would have to fundamentally limit its mass surveillance systems to comply with the EU understanding of ‘proportionate’ surveillance.”
Schrems, who is chair of Noyb.eu, added: “The EU and the US now agree on use of the word ‘proportionate’ but seem to disagree on the meaning of it. In the end, the European Court of Justice’s definition will prevail – likely killing any EU decision. The European Commission is again turning a blind eye to US law to allow continued spying on Europeans.”
Noyb.eu has not confirmed if it will challenge the new agreement. Speaking to Tech Monitor earlier this year, Jagvinder Singh, international and UK head of IT at law firm Mills & Reeve, said that though some aspects of the new rules will reassure businesses transferring data to the US, further court challenges are likely to hinder its application.
“It would be surprising if Schrems didn’t have another go, he’s probably looking for his hat-trick,” Singh said. “The courts highlighted several issues [in Schrems II] and there will be aspects that haven’t been addressed by this new framework and operations which still happen in a way that don’t provide the necessary assurances.”