Third time is the charm the say. However, whether this also applies to the planned successor agreement to the EU-U.S. Privacy Shield and Safe Harbor is more than questionable. The EU Commission and the U.S. government have announced initial details of the planned new transatlantic data protection agreement EU-U.S. Data Privacy Framework (EU-U.S. DPF). Both sides express confidence that an agreement on the exchange of personal data between the EU and the U.S. in line with fundamental rights will now be reached in the third attempt.
Update: On Friday, 7 October 2022, U.S. President Joe Biden, signed the first of the promised Executive Orders (E.O.): the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. The E.O. specifies the steps that the U.S. will take to implement the U.S. commitments under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) announced on 25 March 2022.
The steps listed therein include: adding further safeguards, such as mandating U.S. signals intelligence agencies to take into consideration the privacy of all persons, regardless of nationality or country of residence, setting out requirements for the handling of personal data, and creating a review and redress mechanism for violations of personal data handling requirements in terms of U.S law.
The E.O. is intended to act as a basis for the EU Commission to adopt a new adequacy decision. However, it is far from certain whether a new adequacy decision will be granted on the basis of this E.O.. Should it be, it is highly doubtful it will survive a CJEU judgment.
The planned agreement on the exchange of personal data
In a press release on March 25, 2022, U.S. President Joe Biden and EU Commission President Ursula von der Leyen assert that with the planned approach would come an “unprecedented commitment” from the U.S., which is ready to implement reforms that will strengthen privacy and civil liberties protections in telecommunications surveillance and radio intelligence. According to von der Leyen, the new agreement will “enable predictable and trustworthy data flows between the EU and the U.S. and ensure the protection of privacy and civil liberties.”
At present, however, this is only a political agreement, and precise details of the new agreement have not been provided. Moreover, there is no sign yet that the U.S. will make any changes to its surveillance laws. Apparently, there are only to be assurances by means of so-called Executive Orders. Accordingly, U.S. security agencies are to “establish procedures to ensure effective oversight of the new privacy and civil liberties standards.”
In addition, there will be a “new two-tiered redress system of investigation and resolution of complaints by Europeans about access to data by U.S. intelligence agencies.” A special court to examine such submissions is to become responsible for this. In addition, the EU Commission speaks of “strict requirements for companies that process data obtained from the EU.” Accordingly, the obligation to self-certify (as under the EU-U.S. Privacy Shield and the Safe Harbor that preceded it) remains in place, requiring these companies to follow the relevant principles of the U.S. Department of Commerce. In addition, “specific monitoring and review mechanisms” have been agreed upon. These measures are intended to protect the “data of Europeans transferred to the U.S., taking into account” the Schrems II ruling.
Data protection assessment
It should be noted that these are only assurances. Executive Orders have no external effect and cannot be enforced. In both the Schrems I (Safe Harbor) and Schrems II (EU-U.S. Privacy Shield) rulings, the European Court of Justice (ECJ) has found in each case that U.S. laws such as the Foreign Intelligence Surveillance Act (FISA) or the Cloud Act allow for mass surveillance by security agencies, and thus the standard of data protection in the United States is not equivalent to that in the EU.
While the political agreement is a necessary first step, it is far from being the light at the end of the tunnel. Companies need legal certainty and the political will needs to be cast in a resilient legal regulation. Many companies in Europe store their data in the cloud, use software or video conferencing systems from U.S. providers and are therefore dependent on American service providers.
At the moment, this political announcement leads to even more legal uncertainty, as a final text is not yet available. Moreover, it will be some time before a new agreement is put on paper and adopted. Then this will have to be reviewed by the European Data Protection Board before an actual adequacy decision is available. All of this may take a few more months.
If the new agreement does not meet the requirements of EU law, its lifespan will be limited to the time it currently takes for proceedings before the ECJ to reach a decision. Because we can assume that data protection activist Max Schrems with his association noyb (none of your business) will examine the new agreements on transatlantic data transfers extremely closely.