For months, data privacy professionals around the world had been waiting for this press release – and then it came in last Friday, six months after the joint announcement of an agreement in principle between the US and EU.
US president Joe Biden finally signed an executive order laying the basis for a potential new EU-US privacy framework after its predecessor, the EU-US Privacy Shield, was struck down by the Court of Justice of the European Union (CJEU) with its landmark Schrems II ruling in 2020 for violating the General Data Protection Regulation (GDPR).
Privacy Shield enabled the free flow of personal data from EU citizens to the US. With the Schrems II ruling, these data streams – and the companies facilitating them – have been caught in legal limbo.
Though personal data transfers continue to this day on a massive scale, further court rulings and decisions by data protection authorities (DPAs) in EU member states have been increasingly scrutinising these transfers, even declaring some of them – Google Analytics, for example – as unlawful.
For these reasons, a successor to Privacy Shield has been longed for by thousands of organisations in the US and EU hoping to reclaim legal certainty for international data transfers under the GDPR.
But will the new EU-US Data Privacy Framework detailed in the executive order achieve this goal? Let’s take a quick look at the main points.
New Privacy Framework: The Main Points
In essence, the CJEU struck down Privacy Shield because personal data is not subjected to safeguards comparable to those put in place in the EU. In particular, the court referenced two US laws (FISA and CLOUD Act) that enable US intelligence agencies to collect vast amounts of personal data with insufficient oversight and legitimisation. These practices had been confirmed by NSA whistleblower Edward Snowden.
The White House tries to meet these concerns with its new regulation. This includes:
- Civil Liberties Protection Officer
One set of measures detailed in the order involves strengthening review processes in two layers.
The first layer involves the so-called Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence. The CLPO will conduct investigations following privacy complaints and decide whether or not privacy violations have occurred. If violations are found, the CLPO can determine the appropriate next steps. These decisions will be binding on intelligence agencies.
- Data Protection Review Court
As a second layer, the executive order directs the Attorney General to establish a Data Protection Review Court to “provide independent and binding review of the CLPO’s decisions, upon an application from the individual or an element of the Intelligence Community”, according to the White House.
It further states that Judges on this court will be sourced from outside the US government and are expected to have experience in data privacy and national security. They should also “review cases independently, and enjoy protections against removal.”
- New Rules for Intelligence Agencies
As a third main set of measures, the executive order places additional requirements on intelligence agencies regarding the collection and handling of personal data, “requiring that such activities be conducted only in pursuit of defined national security objectives.”
Intelligence agencies are to take “into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence” and should be “conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.”
The executive order is intended to meet the high protection standards of GDPR in content and language. But will it actually hold up against judicial scrutiny?
Unfortunately, businesses should not get their hopes up too high.
Schrems: “Core issues not solved”
The new framework is expected to go into effect in March 2023 at the earliest – and will very likely face legal challenges the minute it does.
One of the first analyses hailed from the privacy protection NGO None of Your Business (NOYB), chaired by Austrian activist Max Schrems, namesake of the landmark Schrems II ruling.
Schrems and NOYB expressed serious concerns about the legitimacy of the new measures. Despite the reassuring language in the executive order, “there is no indication that US mass surveillance will change in practice”, the group said.
Max Schrems particularly criticised the use of the term “proportionate”. “The EU and the US now agree on use of the word ‘proportionate’ but seem to disagree on the meaning of it. In the end, the CJEU’s definition will prevail – likely killing any EU decision again. The European Commission is again turning a blind eye on US law, to allow continued spying on Europeans.”
NOYB also challenges that the Data Protection Review Court is, in fact, a court, citing the US constitution on the matter and stating it functions more as a body in the executive branch. “It seems clear that this executive body would not amount to ‘judicial redress’ as required under the EU Charter”, the group said.
A Way Out
The next steps for the new legal framework will include a review process on the European side involving the European Data Protection Board, Member States and the European Parliament, though the decision to approve the framework is the Commission’s alone.
For the time being, but also after the framework comes into effect, transatlantic data transfers continue to happen on uncertain legal grounds. It is also a possibility that the CJEU strikes down the new framework as it did with Privacy Shield.
For companies and organisations hoping to escape this legal limbo, technological solutions – like JENTIS server-side tracking – remain the only certain way to become GDPR-compliant and, most importantly, to stay compliant regardless of how the legal fight around the new framework plays out.