The Latest on the EU – US Data Sharing Agreement

On October 7, the White House announced an “Executive Order: On Enhancing Safeguards For United States (US) Signals Intelligence Activities.” President Biden did this to secure a new data sharing agreement with the European Union (EU) that would allow U.S. companies to transfer EU citizen data outside of the EU for processing and storage as part of the services they provide. Currently there is no standard data sharing agreement between the EU and the United States. This means that any company operating in the EU and transferring EU citizen data to the United States is at risk of doing so illegally. These include Facebook, Instagram, Google, (everything really) to name a few. Transatlantic data flows are critical to enabling the $7.1 trillion EU-U.S. economic relationship.

How did we get here? Let’s turn back the clock

• In 1995, the EU enacted The Data Protection Directive (DPD). Among other things, it regulated the processing of EU citizens’ personal data within the EU and the free movement of such data.
• Between 1998 and 2000, the EU developed a set of principles to prevent private organizations within the EU or United States which store customer data of EU citizens from accidentally disclosing or losing personal information. U.S. companies could opt-in to a program and be certified per the DPD.
• In July 2000, the European Commission (EU Cabinet government) decided that U.S. organizations that complied with the DPD and registered their certification would be allowed to transfer data from the EU to the United States. This was known as the Safe Harbor decision.
• In 2013, Edward Snowden, a former computer intelligence contractor for the NSA, obtained and leaked classified information about numerous surveillance programs run by the NSA that collected, stored, and processed any and all data that passed into the United States through what is known as Signals Intelligence Activities. 
• In 2015, Maximillian Schrems, a German lawyer, made a complaint to the Irish Data Protection Commissioner to suspend data transfers from Facebook Ireland (EU) to Facebook Inc. (US) because Snowden’s leaks revealed that his personal data could be accessed by U.S. intelligence authorities via Signals Intelligence Activities which violated his data protection rights under EU law. As a result of the legal challenge brought by Herr Schrems, the CJEU ruled that the European Commission’s adequacy determination for the U.S.-EU Safe Harbor Framework was invalid. This decision is now known as Schrems I.
• The European Commission and the U.S. Government started talks about a new framework and reached an agreement in February 2016.
• On July 8, 2016 EU member states’ representatives approved the final version of the EU-U.S. Privacy Shield agreement. The European Commission adopted the framework on July 12, 2016 and it went into effect the same day. This meant data transfers from the EU to the United States could continue legally.
• In 2020, after further legal action from Herr Schrems, the EU-US Privacy Shield for data sharing agreement was struck down by the European Court of Justice (ECJ) on the grounds it did not provide adequate protections to EU citizens from government surveillance. This decision is now known as Schrems II.

What does the new Executive Order do?

The Executive Order (EO) seeks to address the many objections against the previous data sharing agreements by:

• Setting 12 standards which must be met by U.S. intelligence agencies for collecting and/or processing of any personal data
• The EO commits U.S. government surveillance agencies to collect data only: “in pursuit of defined national security objectives;” and “take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence”
• The EO also creates a U.S. court and process by which EU citizens bring a challenge that their data had been unlawfully processed and provide a right to recourse

Members of European Parliament have their say

Members of European Parliament (MEPs) are starting to weigh-in on Biden’s EO. Here are some of their quotes:

• “These are only empty words”
• “Old wine in new bottles”
• “This paper tiger will not withstand an ECJ review”

Why the hostility?

Well first, foremost (and most obvious) is the EO Fact Sheet statement of “U.S. signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives;” when the reason these programs exist, and did so in secret before Snowden’s leaks, was for the exact same reason: national security. Can’t square that circle no matter how hard you try.

Another of the objections is that an adequacy agreement based on the terms of the EO would effectively amount to the EU signing-off on U.S. surveillance of EU citizens if the 12 standards are met which, again, doesn’t comply with any EU privacy law.  

Further objections

The NOYB have set out a number of objections, here are two of the most pertinent ones:

“Court” is not a real Court. The Executive Order is meant to also add redress. There will now be a two step procedure, with the first step being an officer under the Director of National Intelligence and a second step being a “Data Protection Review Court”. However, this will not be a “Court” in the normal legal meaning of Article 47 of the Charter or the US Constitution, but a body within the US government’s executive branch. The new system is an upgraded version of the previous “Ombudsperson” system, which was already rejected by the CJEU. It seems clear that this executive body would not amount to “judicial redress” as required under the EU Charter.

Judgment by “Court” already spelled out in Executive Order. Users will have to raise issues with a national body in the EU, who will in turn raise the issue with the US government. The US government will neither confirm nor deny that the user was under surveillance and will only inform the user that there was either no violation or it was remedied (see Section 3(c)(E) of the EO). This also makes the option for an appeal useless, as there is simply nothing to appeal about, as long as the user got this rubber stamp answer. Section 3(i)(d)(H) even goes so far to spell out what the “Court” will respond to – no matter your arguments or case: “the review either did not identify any covered violations or the Data Protection Review Court issued a determination requiring appropriate remediation.”

So what happens next?

The European Commission will review the EO and if it is deemed to provide equivalent data protection standards as those existing under EU law, it will grant an adequacy decision resulting in a new EU – US data sharing agreement. (I wonder what they’ll call this one?) 

Were a new sharing agreement to be implemented based on the current EO, it surely wouldn’t be long before legal challenges are put to the ECJ. The likely outcome of such challenges would be another invalidation of an EU – US data sharing agreement (Schrems III!). Herr Schrems should get to take home the match ball at that point (football (as in soccer for U.S. readers) reference).

If the European Commission does not grant an adequacy decision it will be back to the drawing board for the United States. While the way forward is simple—limit U.S. intelligence agency data gathering activity and enforce it via independent oversight—it’s by no means easy or even possible. How long this back and forth could continue while EU – US data transfers carry on without any legal framework is anyone’s guess. 

What does this mean for your business?

Not much at the moment beyond wait and see with a side of prepare for the worst. If you’re not sure where to start in creating your privacy strategy, we’re here to chat.