Communications Litigation Today was a Warren News publication.
Skeptics Expect ECJ Invalidation

Biden Signs EO Initiating EU-US Data Transfer Deal

President Joe Biden signed an executive order Friday initiating finalization of a new cross-border data agreement with the EU. Industry applauded the EO, but advocates say the EU-U.S. Data Privacy Framework (DPF) doesn’t resolve outstanding data privacy issues that led the European Court of Justice (ECJ) to invalidate the previous two agreements.

The European Commission said the EO introduces new, binding safeguards to address “all the points” raised by the ECJ, limiting access to EU data by U.S. intelligence services and establishing a data protection review court. The EC said it “will now prepare a draft adequacy decision” and launch its adoption procedure. That involves an opinion from the European Data Protection Board and from a committee made up of representatives from EU governments. In addition, the European Parliament has the right to vet adequacy decisions. EC Vice President Vera Jourova said the EO has “clear safeguards limiting US intelligence access to personal data of Europeans.”

Announced in March, the EU-U.S. DPF “includes robust commitments strengthening the safeguards for U.S. signals intelligence activities” and ensures EU personal data privacy while creating a “new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by such activities,” said Commerce Secretary Gina Raimondo. The deal “fully” addresses the ECJ’s issues in the Schrems II decision and will “cover personal data transfers to the United States under EU law, including those using Standard Contractual Clauses, Binding Corporate Rules, or a future adequacy decision for the EU-U.S. DPF,” she said.

The EO isn’t likely to satisfy EU law, said privacy activist Max Schrems, whose previous legal challenges resulted in ECJ annulment. His preliminary assessment noted two problems: The EO’s terms “necessary” and “proportionate” don’t “have the same legal meaning in the U.S. and the bulk surveillance outlawed by the high court will continue.” The EO’s data protection review court isn’t a “court within the legal meaning of U.S. law; it’s a body within the executive branch, and the procedure wouldn’t amount to ‘judicial redress’ as required under EU law,” he said.

After years of uncertainty for companies with activities across the two continents, the possibility of transferring personal data safely and in compliance with the GDPR [general data protection regulation] is becoming more concrete, emailed Linklaters data protection attorney Tanguy Van Overstraeten. He said he hopes the EO aligns with ECJ requirements so it can “be relied on in the long term and resist the scrutiny of regulators and privacy activists.”

The Computer & Communications Industry Association welcomed the announcement, with President Matt Schruers saying, “Data transfers are at the heart of the transatlantic relationship, fueling the trade that keeps both of our economies running and brings benefits to consumers and businesses of all sizes who need legal clarity on mechanisms to transfer data.” Access Now called it a “positive yet insufficient step” that doesn’t ensure ECJ validation. The new measures aren’t “sufficient to guarantee an effective right to remedy and to put limitations to the far-reaching scope of US surveillance,” said Global Data Protection Lead Estelle Masse. The EO is the first essential step in lifting data transfer burdens for more than 5,000 companies, said Software & Information Industry Association Senior Vice President-Global Policy Paul Lekas: “We believe that the combination of the protection of existing law combined with the state and individual-based mechanisms in the Framework fully address the concerns raised by the European Court of Justice in its Schrems II decision.”

The American Chamber of Commerce in a blog post urged “all parties to ensure a smooth adoption process of the adequacy decision.” The European Consumers’ Organisation emailed that the EO makes “no substantial improvements to address issues related to the commercial use of personal data, an area where the previous agreement, the EU-US Privacy Shield, fell short of GDPR requirements.” It urged both sides to “keep working to improve the situation and not concede to political or corporate pressure.” The EO’s rules don’t go far enough, said the American Civil Liberties Union. The EO still allows the U.S. government to engage in bulk-generalized data collection, and it doesn’t allow for a “wholly independent decision-marker” to resolve EU privacy claims, as required by the EU, ACLU tweeted. NSA whistleblower Edward Snowden accused the U.S. of rubber-stamping another agreement that doesn’t address “unlawful end-runs around our human rights.”

Separately, the U.S. and UK announced “significant progress” on cross-border data transfers. U.K. Secretary of State for Digital, Culture, Media and Sport Michelle Donelan said she “intends to work expediently” to assess the EO in order to issue an adequacy decision to restore a reliable mechanism for U.K.-U.S. data flows. Raimondo agreed to work toward designating the U.K. as a qualifying state under the order, if requisite conditions are met; that would allow people in Britain who submit complaints to access the order’s redress mechanism.