On 13 December, the European Commission published a draft adequacy decision that would approve the EU-US Data Privacy Framework (EU-US DPF), a new framework that would allow EU organisations to freely transfer personal data to organisations based in the US.
Companies on both sides of the Atlantic have been in legal limbo since July 2020, when the previous transfer framework, Privacy Shield, was shot down at the Court of Justice of the European Union (CJEU) in its “Schrems II” decision.
For the past two and a half years, many businesses and governments have been desperate for a new adequacy decision, particularly because the court also cast doubt over the validity of other transfer mechanisms, such as standard contractual clauses (SCCs).
But will the EU-US DPF solve the data transfer problem in the long term?
Not if Max Schrems has his way. The privacy campaigner has already made clear that he is preparing for “round three” at the CJEU.
This article will provide an overview of the main features of the EU-US DPF, identify Schrems’ objections to the new framework, and consider how the adequacy decision would fare in a challenge before the CJEU.
The Story So Far
- 2000: The European Commission adopts an adequacy decision approving the “Safe Harbor” framework, enabling the free flow of personal data to certified US organisations.
- 2013: The Snowden leaks reveal the extent of US surveillance activity under the “PRISM” and “Upstream” programmes, leading to increased concern about the effectiveness of Safe Harbor in protecting personal data against government surveillance.
- 2013: Max Schrems makes his first complaint against Facebook to the Irish Data Protection Commission (DPC), alleging that the social network was violating his data protection rights by transferring his personal data to its US-based parent company.
- 2015: “Schrems I”: After a reference by the DPC regarding Schrems’ case, the CJEU invalidates the adequacy decision adopting Safe Harbor.
- 2016: The European Commission adopts an adequacy decision approving a new data transfer framework, known as “Privacy Shield”.
- 2017: Max Schrems makes another complaint alleging that Facebook was failing to protect his personal data.
- 2020: “Schrems II”: The CJEU invalidates the adequacy decision adopting Privacy Shield. The court also states that SCCs might not facilitate compliant data transfers in all cases.
- 2022: In October, the Biden administration issues an executive order forming the basis of the EU-US DPF. In December, the Commission publishes a draft adequacy decision regarding the framework.
Problems with Privacy Shield
To survive a court challenge, the EU-US DPF would need to overcome the problems that the CJEU found with the new framework’s predecessor, Privacy Shield.
The CJEU identified several problems with the Privacy Shield framework, including the following:
- Ombudsperson: The CJEU found that the Privacy Shield Ombudsperson, the body that was responsible for handling complaints from EU individuals, did not have sufficient independence and powers.
- Access to personal data by US intelligence agencies: The CJEU found that the executive order implementing Privacy Shield did not adequately restrict the activity of US intelligence agencies.
- Redress: The CJEU found that the Privacy Shield framework did not provide individuals with sufficient means of redress in the event of any violations of their privacy rights.
Fundamentally, the court found that Privacy Shield did not provide sufficient guarantees that personal data transferred to the US would be protected in the same way as in the EU.
Overview of the New Agreement
In its draft adequacy decision, the European Commission examines these legal instruments, and determines that the EU-US DPF provides an “essentially equivalent” set of safeguards over personal data as exist under EU law.
The adequacy decision isn’t valid yet (more about this at the end of this article).
Here’s an overview of the framework and the Commission’s assessment.
Once certified under the EU-US DPF, organisations must follow the “EU-US DPF principles” in respect of imported personal data.
The EU-US DPF principles are:
- Accountability for onward transfer
- Data integrity and purpose limitation
- Recourse, enforcement and liability
The framework also incorporates “supplemental principles”. These expand on the EU-US DPF principles and include information on self-certification, processing sensitive data, exemptions, and enforcement.
The principles remain broadly unchanged since Privacy Shield (and even Safe Harbor).
The adequacy decision also assesses the effectiveness of the restrictions on US intelligence activity.
Among other considerations, the Commission highlights the following aspects of EO 14086 and its restrictions on intelligence services:
- It applies to all signals intelligence activities (collection, use, dissemination, etc).
- It requires that such activities must be based on statute or presidential authorisation and must comply with US law.
- It requires that appropriate safeguards must be in place to ensure that privacy and civil liberties are integral considerations in the planning of intelligence activities.
- It requires that any signals intelligence activity may only be carried out “following a determination, based on a reasonable assessment of all relevant factors, that the activities are necessary to advance a validated intelligence priority.”
- It requires that such activities may only be conducted “to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorised.”
- It requires that a balance must be achieved “between the importance of the intelligence priority pursued and the impact on the privacy and civil liberties of affected individuals, regardless of their nationality or wherever they might reside.”
Overall, the Commission finds that the executive order “strengthens the conditions, limitations and safeguards that apply to all signals intelligence activities, regardless of where they take place.”
Appeal and Redress
The Data Protection Review Court (DPRC) is a new mechanism, replacing the Privacy Shield Ombudsperson, intended to provide redress to individuals whose rights may have been violated under the EU-US DFT.
The US government has implemented a two-layered system for EU individuals to complain about US intelligence activities that may have infringed their personal data protection rights.
- The first layer involves lodging a complaint with the Civil Liberties Protection Officer (CLPO) of the US intelligence community, who can then adopt any necessary corrective measures.
- The second layer involves appealing the CLPO’s decision to the newly created Data Protection Review Court (DPRC).
The DPRC will be composed of members appointed from outside the US government and will have the power to investigate complaints, obtain relevant information from intelligence agencies, and make binding remedial decisions.
Max Schrems has repeatedly stated his intention to challenge the new adequacy decision as soon as it’s adopted (or even before), meaning that the EU-US DPF might end up suffering the same fate as its predecessors.
In a statement following the issuing of EO 14086, noyb, the privacy campaign group chaired by Schrems, criticised several aspects of the new framework.
Necessity and ‘Proportionality’?
In an attempt to satisfy the CJEU’s concerns about the sweeping powers of US intelligence services, EO 14086 introduces the EU concepts of “necessity” and “proportionality”, as appear in Article 52 of the EU Charter of Fundamental Rights.
This language replaces the Privacy Shield requirement that intelligence activities must be “as tailored as feasible”.
Noyb claims that the use of the words “necessary” and “proportionate” in the executive order is problematic because the EU and the US seem to disagree on the meaning of these two terms.
According to noyb, there is no indication that US mass surveillance will change in practice, despite the use of EU-style wording. This means that so-called “bulk surveillance” could continue under the new executive order, and any data sent to US providers will still end up in programs like PRISM or Upstream.
Noyb consider this an issue because the CJEU previously declared US surveillance laws and practices as not “proportionate” under the European understanding of the word.
Noyb sees it as a fundamental problem that the new framework was issued in the US via executive order. This is because an executive order is an internal directive by the US President within the federal government—but not, according to noyb, a law.
This is an issue, noyb claims, because the framework could be easily changed or undone by a future US president.
It’s worth noting, however, that Privacy Shield was also implemented via executive order, and the CJEU did not raise this as an issue in its Schrems II decision.
Noyb also takes issue with the DPRC, claiming that the body is “not a real court”.
“…this will not be a ‘Court’ in the normal legal meaning of Article 47 of the Charter [of Fundamental Rights] or the US Constitution,” the statement says, “but a body within the US government’s executive branch.”
Noyb argues that the new system is an upgraded version of the previous “Ombudsperson” system, which the CJEU rejected in Schrems II.
Fundamentally, the organisation argues that—like the Privacy Shield Ombudsperson—the DPRC would not be able to provide “judicial redress” as required under the Charter.
Another problem from noyb’s perspective is the manner of providing redress.
“The US government will neither confirm nor deny that the user was under surveillance and will only inform the user that there was either no violation or it was remedied,” the group says.
Will the New Agreement Survive?
Despite noyb’s criticisms, there have been several voices from outside the EU and US executives arguing that the EU-US DPF will meet EU standards and should survive a court challenge.
For example, noyb (and others) have argued that implementing the new framework via executive order is inherently problematic. But legal scholar Cameron Kerry argues that executive orders “have been recognised as the law of the land throughout [US] history”.
In a European Law Blog post, Théodore Christakis, Kenneth Propp and Peter Swire claim that a non-statutory solution, such as an executive order, “could be compatible with the ‘essential equivalence’ requirements” necessary to survive a CJEU challenge.
In another article for the International Association of Privacy Professionals (IAPP), Christakis et al argue that the EU-US DPF’s Data Protection Review Court should also be able to provide “redress” in a way that complies with EU law.
The authors highlight several aspects of the redress mechanism that, they believe, render the DPRC an independent body with effective powers that is a substantial improvement over the Privacy Shield Ombudsperson.
Perhaps unsurprisingly, the Commission also appears confident that its agreement with the US will stand up to scrutiny.
In a Politico webinar broadcast the day before the Commission published its draft adequacy decision, EU Justice Commissioner Didier Reynders rated his confidence in the new framework surviving as “7 or 8” out of 10.
Ultimately, only time will tell if Reynders’ confidence is justified.
What Happens Next?
The draft adequacy decision is, of course, still a draft.
There are several hoops to jump through, both in the EU and the US, before organisations can begin using the EU-US DPF as a way to transfer personal data.
- The European Data Protection Board (EDPB) must scrutinise the draft decision. This process is not binding on the Commission, but if the EDPB finds serious issues with the proposal, this might lead to amendments and a delay.
- The European Parliament will also have the opportunity to review the draft decision, but again, this step is not decisive in the adequacy process.
- The final draft must be approved by a committee of member state representatives known as a “comitology committee”. This part of the process is binding, but the comitology committee has never rejected a draft adequacy decision before.
- Finally, the Commission has confirmed that, unlike with Privacy Shield, the adequacy decision will not take effect until after the US government has fully implemented EO 14086.
According to Reynders, this process should be completed by July 2023.
Following all of this, and assuming that the adequacy decision is adopted, the framework is likely to survive for at least a couple of years until a challenge by Schrems can reach the CJEU (though noyb has suggested that it could be much quicker this time around).
Despite the progress in replacing Privacy Shield, EU controllers of a cautious disposition may wish to maintain any existing transfer mechanisms they already have in place, such as standard contractual clauses (SCCs).
Just in case…