The European Union has adopted a new transatlantic data adequacy agreement with the U.S.
The much anticipated decision means there’s an immediate resolution to legal uncertainty around exports of EU users’ personal data by U.S. companies — a problem that’s affected thousands of businesses in recent years, big and small, including the likes of Meta and Google to name a couple of the most high-profile examples.
Speaking during a press conference announcing adoption of the U.S. adequacy decision, EU justice commissioner Didier Reynders sounded confident that this time — the third such high-level data transfer arrangement the bloc’s executive has granted the U.S. — will indeed be third time lucky.
“With the adoption of the adequacy decision, personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorizations,” he said. “Therefore, the adequacy decision, ensure that data can be transmitted between the European Union and the U.S. on the basis of a stable and trusted arrangement that protects individuals and provides legal certainty to companies.”
Political agreement on the EU-U.S. Data Privacy Framework (DPF) was announced back in March 2022 but it’s taken over a year to get all the i’s dotted and t’s crossed, while the prior mechanism for simplifying exports of data over the pond was invalidated by EU judges almost three years ago. So the adoption of a new adequacy deal really does pull the shutter down on years of legal uncertainty affecting major U.S. cloud services and scores of other digital players.
That said, the big question for the DPF is how enduring this third EU-U.S. data adequacy agreement will be — and that very much remains to be seen, despite the EU taking more time than it did last time to sweat the detail of the new framework.
At today’s press conference Reynders was sounding a lot more bullish than usual on this topic, arguing the framework is not simply a copy/paste of earlier (failed) transfer mechanisms but “a very different system” — one he suggested is “a very robust solution” to an entrenched legal divide.
He also suggesting the EU has listened closely to feedback as it worked to finalize a framework he claimed ensures “full compliance with the conditions set in the ruling of the EU’s highest court.”
“This was my mandate and my focus in these negotiations, and this is reflected in the solutions we have obtained,” he suggested. “They specifically address the requirements set by the court as regards the need for limitations and safeguards for access to data by U.S. intelligence agencies in line with the principles of necessity and proportionality and the need to ensure effective redress for EU individuals.”
Nonetheless, legal challenges to the DPF are on the way. Both predecessor arrangements (i.e., Safe Harbor and Privacy Shield) were struck down by the bloc’s top court after judges found exported personal data was not protected to the required legal standard given risks posed by sweeping U.S. surveillance powers. And privacy campaigners are warning the new framework could be in front of the CJEU (Court of Justice of the European Union) within months.
One key point for critics is that since Privacy Shield’s demise, we have still not seen reform of U.S. surveillance powers, with no moves by lawmakers to accept the need to reform the controversial FISA 702 provision and pass protections for foreigners’ information.
That means, at root, the DPF is still papering over the same fundamental legal conflict between EU privacy rights and U.S. surveillance powers, and it could inexorably face the same assessment of inadequacy once EU judges get to scrutinize the detail.
In recent months, a number of other EU institutions have raised concerns that the Commission’s planned replacement lacks clarity, also suggesting the tweaks on the prior approach may fall short of delivering the necessary essential equivalence in protection for data when it’s over the pond. Although there has also been a recognition by bodies such as the European Data Protection Board that the DPF goes further than earlier data transfer deals. The question is whether it goes far enough to meet the CJEU’s bar.
The Commission decision itself doesn’t mean much since it’s solely responsible for adopting EU adequacy decisions — and Reynders conceded that today’s green light is essentially a “unilateral” decision by the EU’s executive — so the bloc’s lawmakers are in the luxurious position of getting to mark their own homework once again, despite a history of getting these self-same equations wrong.
Privacy campaign group noyb — whose founder and chairman, Max Schrems, was behind the original complaint against Facebook’s EU-U.S. data transfers — remains critical of the framework.
Responding to the Commission’s adequacy decision announcement today, noyb confirmed it will lodge a legal challenge — saying it has “options for a challenge” ready to be sent to regulators and expects the issue to be back with the CJEU by the beginning of next year.
If noyb’s slated timeline holds, it would still have to be followed by months (or even years) of deliberation by the bloc’s court. So a final verdict on the DPF could be years away. (For some comparative context, legal questions pertaining the DPF’s predecessor, Privacy Shield, were referred to the court in May 2018 — with the CJEU ruling striking down the mechanism landing in July 2020.)
For now, Schrems and noyb argue the new framework is largely the same as the Privacy Shield that failed to pass must with EU judges — dismissing the main changes highlighted by EU and U.S. teams involved in negotiating the replacement deal, such as the U.S. apparently adopting an EU law principle of “proportionate” data use. This amounts to proportionality theater, noyb suggests, arguing the U.S. is not assigning the same definition to the term that EU judges would understand in the Executive Order attached to the DPF where the U.S. now vows its surveillance of foreigners will be “proportionate.”
They are also also unimpressed by an attempt in the DPF to rework another problem that led to the CJEU skewering Privacy Shield — related to redress. So instead of the latter’s ombudsperson, the DPF offers up a civil liberties protection officer and what’s being named as a “court” but that, they point out, is not actually a court of law; rather it’s a “partly independent executive body” — hence summing up the changes as only “minor improvements.”
“They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like ‘Privacy Shield’ the latest deal is not based on material changes but by political interests,” argued Schrems in a statement. “Once again the current Commission seems to think that the mess will be the next Commission’s problem. FISA 702 needs to be prolonged by the U.S. this year but with the announcement of the new deal the EU has lost any power to get a reform of FISA 702.”
Anticipating the key lines of attack, Reynders took some time to tackle both areas in his remarks today — fleshing out why the Commission thinks this deal is different and will stick. He said:
We have achieved significant changes to the U.S. legal framework to address these two sets of requirements. This new framework is substantially different than the EU-U.S. Privacy Shield as a result of the Executive Order issued by President Biden last year following our negotiations. The necessity and proportionality requirements are now clearly spelled out through binding and enforceable safeguards in the U.S. legal order.
In practice this means that when deciding whether and to what extent U.S. intelligence agencies should access data, they will be required to balance the same factors as those required by the case law of the EU Court of Justice. These factors include the nature of the data, the seriousness of the threat, or the likely impact on the rights of individuals. On that basis, each U.S. intelligence agency has reviewed its internal rules and procedures to implement these new requirements at the operational level.
On the reworked redress mechanism, Reynders described it as “an independent and impartial tribunal that is empowered to investigate complaints lodged by Europeans and to issue binding remedial decisions,” also noting the body has the power to oder the deletion of data collected in violation of the requirements of necessity or proportionality.
He further emphasized that the Commission has paid attention to accessibility of redress — suggesting the mechanism has been designed to be “user friendly” and noting there’s no charge for EU people to lodge a complaint (which he stipulated they can do in their own language via their local data protection authority, which will then channel the complaint to the relevant authorities for them).
He emphasized:
Very low admissibility requirements will apply. In particular, the complainant will not have to demonstrate that their data has been accessed by U.S. intelligence agencies. This is very important and this is crucial to ensure effective access to redress in an area which is by nature secret.
Before the [tribunal] the complainant’s interest will be represented by a special advocate, again, free of charge with the necessary security clearances. These proceedings involve a certain degree of secrecy. With a special advocate, the court will take its decision only after hearing both sides. Finally, the functioning of this redress mechanism, including due process aspects and compliance with the decisions of the new court, will be overseen by an independent body specifically responsible for data protection, the Privacy and Civil Liberties Oversight Board.
“The principles of the Data Privacy Framework are solid and I’m convinced that we have made significant progress which meets the requirements of the Court,” Reynders also said, before offering a word of caution to U.S. authorities vis-à-vis the need to actually deliver on their commitments.
“At the same time the Commission will be paying particularly close attention to implementation of this new legal framework and will not hesitate to react in case of any problems or issues,” he warned.
Cynics might say the whole EU-U.S. adequacy saga is simply a way for lawmakers on either side of an immoveable legal schism to buy another few years’ grace (and keep the wheels of commerce turning) by repeatedly kicking the flash-point down the road — leaving EU regulators and courts saddled with the resulting fallout (and businesses facing yet another expensive legal mess if the deal ends up being unpicked yet again).
It’s a point of view that’s lent credence when you consider how Meta, which has been subject to a complaint over its EU-U.S. data transfers for around a decade — and was finally, earlier this year, ordered to suspend data flows after EU privacy regulators confirmed the breach of the bloc’s data export requirements — has never actually had to stop shipping out Europeans’ data despite the exports being found to be unlawful.
In May the tech giant was given a period of around six months to comply with the data suspension order. Now, a few weeks on from that order, we have a freshly ratified high-level transfer mechanism for the company to latch on to — meaning it can simply ignore the still ink-wet suspension order by switching its claimed legal basis for data exports to the DPF and avoid actually having to suspend any data flows, essentially dodging hard enforcement (albeit, with a bill of around $1.3 billion to pay).
This seemingly never-ending dance — which noyb dubs a frustrating “legal ping pong” — illustrates how challenging it is for EU citizens to exercise the privacy rights the law claims exists to protect their information, even as tech giants with lucrative data-mining business models get to carry on trampling people’s rights as per usual, just so long as they make enough profit to be able to write off any penalty payments as a cost of doing business.
Still, Reynders had a word of caution for U.S. tech giants today: “It will be for the companies to show that they’re in full compliance with the GDPR [General Data Protection Regulation].”
And on that front, Meta, at least, does have a growing headache as EU regulators — and, most recently, the CJEU — have cast doubt upon the legal basis it claims for processing people’s data for ad targeting. So even if the adtech giant won’t now be forced to cut off all its EU-U.S. data flows, some hard reforms to how it operates its behavioral advertising business in the EU do now look unavoidable.