The Latest on the EU – US Data Sharing Agreement

On October 7, the White House announced an “Executive Order: On Enhancing Safeguards For United States (US) Signals Intelligence Activities.” President Biden did this to secure a new data sharing agreement with the European Union (EU) that would allow U.S. companies to transfer EU citizen data outside of the EU for processing and storage as part of the services they provide. Currently there is no standard data sharing agreement between the EU and the United States. This means that any company operating in the EU and transferring EU citizen data to the United States is at risk of doing so illegally. These include Facebook, Instagram, Google, (everything really) to name a few. Transatlantic data flows are critical to enabling the $7.1 trillion EU-U.S. economic relationship.

How did we get here? Let’s turn back the clock

• In 1995, the EU enacted The Data Protection Directive (DPD). Among other things, it regulated the processing of EU citizens’ personal data within the EU and the free movement of such data.
• Between 1998 and 2000, the EU developed a set of principles to prevent private organizations within the EU or United States which store customer data of EU citizens from accidentally disclosing or losing personal information. U.S. companies could opt-in to a program and be certified per the DPD.
• In July 2000, the European Commission (EU Cabinet government) decided that U.S. organizations that complied with the DPD and registered their certification would be allowed to transfer data from the EU to the United States. This was known as the Safe Harbor decision.
• In 2013, Edward Snowden, a former computer intelligence contractor for the NSA, obtained and leaked classified information about numerous surveillance programs run by the NSA that collected, stored, and processed any and all data that passed into the United States through what is known as Signals Intelligence Activities. 
• In 2015, Maximillian Schrems, a German lawyer, made a complaint to the Irish Data Protection Commissioner to suspend data transfers from Facebook Ireland (EU) to Facebook Inc. (US) because Snowden’s leaks revealed that his personal data could be accessed by U.S. intelligence authorities via Signals Intelligence Activities which violated his data protection rights under EU law. As a result of the legal challenge brought by Herr Schrems, the CJEU ruled that the European Commission’s adequacy determination for the U.S.-EU Safe Harbor Framework was invalid. This decision is now known as Schrems I.
• The European Commission and the U.S. Government started talks about a new framework and reached an agreement in February 2016.
• On July 8, 2016 EU member states’ representatives approved the final version of the EU-U.S. Privacy Shield agreement. The European Commission adopted the framework on July 12, 2016 and it went into effect the same day. This meant data transfers from the EU to the United States could continue legally.
• In 2020, after further legal action from Herr Schrems, the EU-US Privacy Shield for data sharing agreement was struck down by the European Court of Justice (ECJ) on the grounds it did not provide adequate protections to EU citizens from government surveillance. This decision is now known as Schrems II.

What does the new Executive Order do?

The Executive Order (EO) seeks to address the many objections against the previous data sharing agreements by:

• Setting 12 standards which must be met by U.S. intelligence agencies for collecting and/or processing of any personal data
• The EO commits U.S. government surveillance agencies to collect data only: “in pursuit of defined national security objectives;” and “take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence”
• The EO also creates a U.S. court and process by which EU citizens bring a challenge that their data had been unlawfully processed and provide a right to recourse

Members of European Parliament have their say

Members of European Parliament (MEPs) are starting to weigh-in on Biden’s EO. Here are some of their quotes:

• “These are only empty words”
• “Old wine in new bottles”
• “This paper tiger will not withstand an ECJ review”

Why the hostility?

Well first, foremost (and most obvious) is the EO Fact Sheet statement of “U.S. signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives;” when the reason these programs exist, and did so in secret before Snowden’s leaks, was for the exact same reason: national security. Can’t square that circle no matter how hard you try.

Another of the objections is that an adequacy agreement based on the terms of the EO would effectively amount to the EU signing-off on U.S. surveillance of EU citizens if the 12 standards are met which, again, doesn’t comply with any EU privacy law.  

Further objections

The NOYB have set out a number of objections, here are two of the most pertinent ones:

“Court” is not a real Court. The Executive Order is meant to also add redress. There will now be a two step procedure, with the first step being an officer under the Director of National Intelligence and a second step being a “Data Protection Review Court”. However, this will not be a “Court” in the normal legal meaning of Article 47 of the Charter or the US Constitution, but a body within the US government’s executive branch. The new system is an upgraded version of the previous “Ombudsperson” system, which was already rejected by the CJEU. It seems clear that this executive body would not amount to “judicial redress” as required under the EU Charter.

Judgment by “Court” already spelled out in Executive Order. Users will have to raise issues with a national body in the EU, who will in turn raise the issue with the US government. The US government will neither confirm nor deny that the user was under surveillance and will only inform the user that there was either no violation or it was remedied (see Section 3(c)(E) of the EO). This also makes the option for an appeal useless, as there is simply nothing to appeal about, as long as the user got this rubber stamp answer. Section 3(i)(d)(H) even goes so far to spell out what the “Court” will respond to – no matter your arguments or case: “the review either did not identify any covered violations or the Data Protection Review Court issued a determination requiring appropriate remediation.”

So what could happen?

The European Commission will review the EO and if it is deemed to provide equivalent data protection standards as those existing under EU law, it will grant an adequacy decision resulting in a new EU – US data sharing agreement. (I wonder what they’ll call this one?) 

Were a new sharing agreement to be implemented based on the current EO, it surely wouldn’t be long before legal challenges are put to the ECJ. The likely outcome of such challenges would be another invalidation of an EU – US data sharing agreement (Schrems III!). Herr Schrems should get to take home the match ball at that point (football (as in soccer for U.S. readers) reference).

If the European Commission does not grant an adequacy decision it will be back to the drawing board for the United States. While the way forward is simple—limit U.S. intelligence agency data gathering activity and enforce it via independent oversight—it’s by no means easy or even possible. How long this back and forth could continue while EU – US data transfers carry on without any legal framework is anyone’s guess. 

Update: June 2023 

Since this article was published in October 2023, there have been a few developments:

• December 13, 2022: The European Commission published its draft adequacy decision in favor of the proposal paving the way for finalization of the Data Protection Framework. Hooray!
• But before that could happen, both the EU Parliament and the European Data Protection Board (EDPB) would be able to provide their (non-binding) opinions to the European Commission for consideration prior to making their final decision. Cue ominous music …
• February 14, 2023: the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) published their draft decision rejecting the European Commision’s adequacy decision stating it “fails to create actual equivalence in the level of protection” offered by the GDPR and recommended the European Commission only adopt an adequacy decision when “meaningful reforms were introduced, in particular for national security and intelligence purposes” on the part of the United States. Quelle surprise!
• February 28, 2023: The EPDB released its non-binding opinion which was pretty much the same as what LIBE released: it applauded the requirements of necessity and proportionality for U.S. intelligence gathering of data and the new redress mechanism for EU data subjects but highlighted concerns relating to “certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism.” Good, but not good enough. 
• April 13, 2023: In a vote, the LIBE MEPs formally reject proposed EU-US Data Privacy Framework stating the European Commission should not grant the United States an adequacy decision. 2 Quelle 2 surprise! The sequel we all saw coming.
• May 11, 2023: MEPs vote 306-27 (with 231 abstentions) to adopt a non-binding opinion rejecting the proposed EU-U.S. Data Privacy Framework. The opinion called the DPF “an improvement” but MEPs took issue with the elephant in the room, the ongoing bulk data collection by U.S. foreign intelligence agencies, among other outstanding issues.
• May 15-18, 2023: A handful of MEPs traveled to the United States for a visit to discuss, among other things, the EU-U.S. Privacy Framework with representatives from the U.S. Department of Justice’s Data Protection Review Court and the Office of the Director of National Intelligence. There’s been little to no information, at least not that I’ve been able to turn up, on the outcomes of that three-day soiree. 

So what could happen?

The European Commission will grant an adequacy decision or it won’t. As for when, it’s not clear but the vote is rumored to take place sometime in the next six months. While the opinions from LIBE, EPDB, and every other MEPs not on either of those committees paints the prospects of an adequacy decision poorly, they’re non-binding so the European Commission can forget they ever read them right after they read them and/or while they’re making their decision. 

Because while every opinion raises valid points, the question is whether there’s any appetite to go back to negotiating the DPF with no movement on the indiscriminate data collection of the U.S. government national security apparatus? You know, the elephant in the room. 

I wouldn’t be surprised if adequacy is granted, effectively punting the whole lot back to the courts and give Herr Schrems his chance at a third victory at the European Court of Justice (ECJ) against an EU-US data sharing agreement. Then we could repeat everything all over again, but more quickly each time what with not halving the time it took to strike down the second DPF from the first.

Update September 2023

Well on July 10, as expected, the European Commission adopted a new adequacy decision for safe and trusted EU-US data flows saying: “The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.”

But not everyone is using the agreement, yet

The Wall Street Journal reports that under the previous EU-U.S. Privacy Shield agreement some 5,000 or so businesses transferred data “whereas approximately 2,500 companies are utilizing the Data Privacy Framework (DPF).” Turns out those not using the DPF are using the contractual clauses that were negotiated as a result of the invalidation of the previous agreement which are still valid for a few years saving them from having to go through the new process for a while—yet which means they can wait and see about the outcome of the legal challenges both in progress and still to come. 

Legislation underway

It took a little over two months for the latest EU-US data transfer agreement to be challenged; French politician and member of the National Assembly, Philippe Latombe, announced last week that he would take legal action against the adequacy agreement. Latombe is pushing for the immediate suspension of the agreement because the DPF doesn’t address the key issues that led to the annulment of the previous agreements, the elephant in the room, U.S. surveillance law which permits surveillance of EU citizens’ data when it enters the United States.

More on the way

Schrems has already confirmed the NOYB legal challenge is imminent, likely to be submitted early next year, saying: “They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like ‘Privacy Shield’ the latest deal is not based on material changes, but by political interests. Once again the current Commission seems to think that the mess will be the next Commission’s problem,” said NOYB Honorary Chair Max Schrems. “We now had ‘Harbors,’ ‘Umbrellas,’ ‘Shields’ and ‘Frameworks’ — but no substantial change in US surveillance law. … Just announcing that something is ‘new,’ ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in U.S. surveillance law to make this work — and we simply don’t have it.””

What does this mean for your business?

Not much at the moment beyond wait and see with a side of prepare for the worst. If you’re not sure where to start, we’re here to chat.