EU-US trans-Atlantic data transfers ‘deal in principle’ faces tough legal review

The political agreement reached late last month between the European Union and the United States on a new trans-Atlantic data transfers pact, which aims to end years of legal uncertainty for businesses exporting data from the bloc, is not yet a done deal.

The deal in principle faces scrutiny in the coming months once the full text is published — and will most likely face fresh (and fast) legal challenges if it does get adopted, so everything hinges on the detail. 

Yesterday, the European Data Protection Board (EDPB), which advises on compliance with EU data protection law, put out a statement signaling where it will be directing its attention when it reviews this detail — saying it will be paying “special attention to how this political agreement is translated into concrete legal proposals.”

“The EDPB looks forward to assessing carefully the improvements that the new framework may bring in light of EU law, CJEU case law and previous recommendations of the Board, once the EDPB receives all supporting documents from the European Commission,” the board wrote.

“In particular, the EDPB will analyse whether the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate. In addition, the EDPB will examine how the announced independent redress mechanism respects EEA individuals’ right to an effective remedy and to a fair trial. More specifically, the EDPB will look into whether any new authority part of this mechanism has access to relevant information, including personal data, when exercising its mission and whether it can adopt decisions binding on the intelligence services. The EDPB will also consider whether there is a judicial remedy against this authority’s decisions or inaction.”

The EDPB also warned that the political deal is not yet a legal agreement — emphasizing that data exporters must continue to comply with the case law of the bloc’s top court in the meanwhile, especially with the July 2020 ruling by the CJEU, aka Schrems II, which struck down the last EU-U.S. data transfers deal, the EU-US Privacy Shield.

Talking up the political deal reached last month to replace the defunct Privacy Shield, the Biden administration said the U.S. has committed to putting in place “new safeguards” that it said would ensure that state surveillance agencies’ data-gathering activities will be “necessary and proportionate” and linked to “defined national security objectives.”

The clash between the primacy of U.S. surveillance laws and robust EU privacy rights remains the fundamental schism — so it’s difficult to see how any new deal will be able to stand against fresh legal challenges unless it commits to putting hard limits on U.S. mass surveillance programs.

The replacement deal will also need to create a proper avenue for EU individuals to seek and obtain redress if they believe U.S. intelligence agencies have unlawfully targeted them. And that also looks difficult.

Last month, ahead of the announcement of the political agreement, The Hill reported on a U.S. Supreme Court ruling in a case related to FBI surveillance that it suggested made the chance of a deal harder — as the court reinforced state secrets privilege for spying cases by finding that Congress did not eliminate this privilege when it enacted surveillance reforms in the Foreign Intelligence Surveillance Act (FISA).

“Though the opinion left open the possibility that people … nonetheless could pursue claims based on public information about the government’s surveillance, most people need sensitive information from the government to help prove that its surveillance was illegal. The decision could make it easier for the government to shield such information from judges, and therefore harder for most people challenging surveillance to prove their claims and obtain justice in court,” the publication reported.

The need for deeper reforms of FISA has been a key call from critics of previous EU-U.S. data transfer deals (before Privacy Shield, there was Safe Harbor — which was struck down by the CJEU in 2015).

Last month, the White House said the deal agreed in principle would enable EU individuals to “seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed.”

However, the legal status of this “Review Court” will be key — as the EDPB’s statement underlines.

Moreover, if the U.S. Supreme Court takes a different view that essentially overrides any deal the Biden administration is promising by making it impossible for EU individuals to obtain the information they need to be able to bring a claim against the U.S. government, that would undermine the ability of EU people to actually obtain redress. … And, well, the CJEU has made it clear that EU individuals subject to illegal surveillance in a third country must have a genuine and meaningful way to pursue accountability.

The EDPB’s statement elucidates exactly these concerns — with the board flagging that any “new authority” set up under a claim of delivering redress will need “access to relevant information, including personal data” in order to be able to live up to that mission and will also need to be able to adopt decisions that are binding on the intelligence services.

It’s worth remembering that the Privacy Shield “ombudsperson” regime, which was tested in Privacy Shield, didn’t pass muster with the CJEU — both on grounds of independence and because of the inability of the ombudsperson to adopt decisions that are binding on the intelligence services.

How different a “Data Protection Review Court” would be in those regards remains to be seen.

Max Schrems, the EU privacy campaigner who successfully brought down the last two EU-U.S. data transfers deals, remains skeptical that the latest “fix” offers anything substantially different — recently tweeting another eye-catching visual metaphor to illustrate his early assessment:

Failing genuine surveillance reform in the U.S., it may well be that squaring the data-transfer circle is as steep a challenge as it has proved the last two times around the block. But even if the political imperative inside the EU to do a deal overrides obvious legal gaps — as it did when the last Commission ignored concerns and adopted the Privacy Shield — that will just mean the two sides are buying time until the next CJEU strike down.

Likely not very much time, either.

While Safe Harbor stood for 15 years, Privacy Shield only lasted four — and Schrems has suggested a fresh challenge to another flawed replacement would be fast-tracked into the CJEU “within months” of a final decision to adopt it. So EU lawmakers have been warned.