The European Union has adopted a new transatlantic data adequacy agreement with the US.
The long-awaited decision means there is an immediate resolution to the legal uncertainty surrounding exports of EU users' personal data by US companies, a problem that has affected thousands of companies in recent years, large and small. , including companies like Meta and Google, to name a few high-profile ones.
During a press conference announcing the adequacy decision, the EU justice commissioner, Didier Reynders, was confident that this time, the third agreement of this type that the bloc's executive grants to the US, will be definitive.
“With the adoption of the adequacy decision, personal data can now flow freely and securely from the European Economic Area to the United States without further conditions or authorizations,” it said. "Therefore, the adequacy decision guarantees that data can be transmitted between the European Union and the US on the basis of a stable and reliable agreement that protects individuals and provides legal certainty for companies."
The EU-US Data Privacy Framework (DPF) political agreement was announced in March 2022, but it has taken more than a year to get all the details worked out. Meanwhile, the previous mechanism to simplify data exports on the pond was invalidated by EU judges almost three years ago. Thus, the adoption of a new accommodation agreement really ends years of legal uncertainty plaguing major US cloud services and many other digital players.
That being said, the big question for the DPF is how durable this third data adequacy agreement between the EU and the US will be.
Reynders was much more optimistic than usual on this issue, arguing that the framework is not simply a copy-paste of previous (failed) transfer mechanisms, but "a very different system," one he suggested is "a very robust solution." » to an entrenched legal divide.
He also suggested that the EU has listened carefully to feedback as it worked to finalize a framework that he said ensures "full compliance with the conditions set out in the EU's highest court ruling."
“That was my mandate and my approach in these negotiations, and that is reflected in the solutions we have obtained. They specifically address the requirements established by the court regarding the need for limitations and guarantees for access to data by US intelligence agencies in accordance with the principles of necessity and proportionality and the need to guarantee a effective compensation for EU individuals”.
However, legal challenges to the DPF are already underway. Both previous agreements (also known as Safe Harbor and Privacy Shield) were struck down by the bloc's supreme court after judges found exported personal data was not protected to the required legal standard due to risks posed by sweeping US surveillance powers and privacy advocates. They warn that the new framework could be before the CJEU in a few months.
A key point for critics is that since the demise of the Privacy Shield we have yet to see reform of US surveillance powers, without lawmakers accepting the need to reform the controversial FISA 702 provision and pass protections for privacy. foreigners information.
That means that, at bottom, the DPF is still hiding the same fundamental legal conflict, between EU privacy rights and US surveillance powers, and could inexorably face the same assessment of inadequacy once let the EU judges analyze the details.
In recent months, several other EU institutions have expressed concern that the Commission's planned replacement lacks clarity, which also suggests that the adjustments in the above approach may not provide the necessary essential equivalence in data protection. Although there has also been recognition by organizations such as the European Data Protection Council that the DPF goes further than the transfer agreements from previous data. The question is whether or not it goes far enough to meet the CJEU standard.
The Commission's decision itself doesn't mean much as it is solely responsible for making EU adequacy decisions, and Reynders admitted that today's green light is essentially a 'unilateral' decision by the EU executive, so that the bloc's legislators are in a position to get to do their own homework once again, despite a history of getting these very equations wrong.
The privacy campaign group noyb, whose founder and chairman Max Schrems was behind the original complaint against Facebook's EU-US data transfers, remains critical of the framework.
In response to the announcement of the Commission's adequacy decision today, noyb confirmed it will file a legal request, saying it has "options for it" ready to be sent to regulators and expects the issue to return to the CJEU early next year.
So we are "partners" with the US, but the US continues to say that EU citizens are "second class" and have no fundamental rights (according to the 4th Amendment). #TADPF - Max Schrems (@maxschrems) July 10, 2023
If noyb's scheduled schedule sticks, it would still have months (or even years) of deliberation to follow by the EU court. So a final verdict on the DPF could take years. (For comparative context, legal issues related to the DPF's predecessor, the Privacy Shield, were referred to court in May 2018 — with the CJEU ruling annulling the mechanism in July 2020.)
For now, Schrems and noyb argue that the new framework is largely the same as the Privacy Shield that failed to pass EU judges, dismissing the major changes highlighted by the EU and US teams. involved in negotiating the replacement agreement, such as the apparent US acceptance of the EU law principle of “proportionate” data use. This theater of proportionality, as noyb calls it, is argued by the fact that the US is not assigning the same definition to the term that EU judges would understand in the Executive Order attached to the DPF where the US now promises that his surveillance of foreigners will be "proportionate."
They are also unimpressed by an attempt in the DPF to rework another issue that led the CJEU to skewer the Privacy Shield, related to the repair. So, instead of the equivalent figure of the Ombudsman, the DPF offers a Civil Liberties Protection Officer and what is called a “Tribunal”. But which, they point out, is not actually a court of law; rather it is a “partially independent executive body”, therefore they summarize the changes as only “minor improvements”.
“They say that the definition of insanity is doing the same thing over and over again and expecting a different result. Like 'Privacy Shield', the latest agreement is not based on material changes but on political interests," Schrems argued in a statement. “Once again the current Commission seems to think that the mess will be the problem of the next Commission. FISA 702 is due to be extended by the US this year, but with the announcement of the new agreement, the EU has lost all power to achieve FISA 702 reform.”
Anticipating the key lines of attack, Reynders took time to address both areas in his comments, explaining why the Commission believes this agreement is different and will stand.
“We have made significant changes to the US legal framework to address these two sets of requirements,” he suggested. “This new framework is substantially different from the EU-US Privacy Shield. as a result of the Executive Order issued by President Biden last year following our negotiations. Necessity and proportionality requirements are now spelled out clearly through binding and enforceable safeguards in the US legal system.
“In practice, this means that when deciding whether and to what extent US intelligence agencies should access data, they will have to weigh the same factors that are required by the case law of the Court of Justice of the EU. These factors include the nature of the data, the seriousness of the threat or the possible impact on the rights of individuals. On that basis, each US intelligence agency has reviewed its internal rules and procedures to implement these new requirements at the operational level."
On the reworked redress mechanism, Reynders described it as "an independent and impartial tribunal that is empowered to investigate complaints made by Europeans and issue binding remedial decisions," noting that the body has the power to order the deletion of data. collected in violation of the requirements of necessity or proportionality.
In addition, he stressed that the Commission has paid attention to the accessibility of the remedy, suggesting that the mechanism has been designed to be "user-friendly", noting that there is no impediment for people from the EU to make a complaint. (which stipulated that they can do so in their own language, through their local data protection authority, who will then channel the complaint to the relevant authorities for them).
“Very low admissibility requirements will be applied,” he emphasized. “In particular, the whistleblower will not have to prove that US intelligence agencies have accessed his data. This is very important and crucial to ensure effective access to repair in an area that is by nature secret.
"Before going to court the whistleblower's complaint will be represented by a special lawyer, again, free of charge with the necessary security clearances. These procedures involve a certain degree of secrecy. With a special attorney, the court will make its decision only after hearing both parties. Finally, the operation of this redress mechanism, including aspects of due process and compliance with the new court's decisions, will be overseen by an independent body specifically responsible for data protection, the Privacy and Civil Liberties Oversight Board. .
“The principles of the Data Privacy Framework are strong and I am convinced that we have made significant progress that meets the requirements of the Court,” Reynders said, advising US authorities of the need to actually comply with their commitments.
“At the same time, the Commission will pay special attention to the implementation of this new legal framework and will not hesitate to react in case of any problems or issues,” he pointed out.
Cynics might say that the whole EU-US saga is simply a way for lawmakers on either side of an immovable legal schism to buy another few years of grace (and keep the wheels of trade going). turning) by repeatedly kicking the critical point on the way. — leaving EU regulators and courts saddled with the resulting consequences (and the companies facing another costly legal mess if the deal ends up being scrapped yet again).
It's a point of view that happens to have quite a bit of credence when you consider how Meta, which has been the subject of a complaint over its EU-US data transfers, confirmed a breach of the bloc's data export requirements. — has never had to stop sending Europeans' data even though the exports were found to be illegal.
In May, the tech giant was given a period of around six months to comply with the data suspension order. Now, a few weeks after that order, we have a newly ratified high-level transfer mechanism for the company to adhere to, which means you can simply ignore the still-wet stop order by changing your claimed legal basis for exports. of data to the DPF and avoid having to suspend any data flow, essentially bypassing strict enforcement (albeit, with a bill of around $1.3BN to pay).
This seemingly endless dance, which noyb calls frustrating “legal ping pong”, illustrates how difficult it is for EU citizens to exercise the privacy rights that the law claims exist to protect their information, even as tech giants with lucrative data mining business models continue to trampling on people's rights as usual, as long as they make enough profit to be able to write off the penalty payments as a cost of doing business.
Still, Reynders also had a word of caution for US tech giants, noting: "Companies will be required to demonstrate that they are fully compliant with the GDPR [General Data Protection Regulation]."
And on that front, Meta, at least, has a growing headache as EU regulators, and more recently the CJEU, have called into question the legal basis it claims for processing people's data. for ad targeting. Even if the ad-tech giant isn't now forced to cut off all its data flows between the EU and the US, some tough reforms to the way it operates its behavioral advertising business in the EU now seem inevitable.
