With both Privacy Shield and Safe Harbor having been previously struck down by legal challenges, experts question whether US President Biden’s executive order implementing the new Trans-Atlantic Data Policy Framework will stand up to scrutiny.
The thousands of companies waiting for a new US-EU data-transfer agreement to go into effect soon and ease the burdensome legal work necessary for cross-border data transfer shouldn’t get their hopes up. US President Joe Biden’s executive order to implement rules for the Trans-Atlantic Data Policy Framework agreed on earlier this year is a move in the right direction, but the new pact won’t go into effect until next spring at the earliest, and even then it is bound to face legal challenges, say public policy and legal experts.
The executive order, signed by Biden on October 7, puts new restrictions on electronic surveillance by American intelligence agencies and gives Europeans new avenues to launch a complaint when they believe their personal information has been used unlawfully by US intelligence agencies.
The move comes two years after the European Court of Justice shut down the previous EU-US data sharing agreement known as Privacy Shield on grounds that the US doesn’t provide adequate protection for personal data, particularly in relation to state surveillance.
The new Trans-Atlantic Data Policy Framework is meant to improve US privacy safeguards, replace Privacy Shield, and eventually pass Court of Justice scrutiny when expected legal challenges are lodged. However, despite both the Biden Administration and the European Commission releasing statements endorsing the newly proposed data pact, it’s far from a done deal, according to Jonathan Armstrong, a compliance and technology lawyer at UK-based compliance specialists Cordery.
“Both the White House and the European Commission might be saying that they are confident, but we’ve been down this road before, with both sides saying that Privacy Shield would stand up to judicial scrutiny. It didn’t,” Armstrong said.
What’s next for the Trans-Atlantic Data Policy Framework
First, the EU must confirm that the new rules established by Biden’s executive order are adequate to meet the standards agreed on in the trans-Atlantic framework, which in turn was crafted to offer privacy protections equivalent to the EU’s GDPR (General Data protection Regulation).
Over the next few months, the European Commission, the EU’s executive body, will propose a draft adequacy decision and launch an adoption procedure, which includes consulting with the European Data Protection Board (EDPB) and obtaining approval from a committee composed of representatives of the EU member states, according to a Commission statement. [ Attend Virtual Summit on November 8 – CIO’s Future of Cloud Summit: Mastering Complexity & Digital Innovation – Register Today! ]
The European Parliament will also likely want to scrutinize the deal before it becomes ratified, Armstrong said.
Meanwhile, Max Schrems—the Austrian activist and lawyer whose complaints against Facebook for GDPR violations led to the demise of Privacy Shield and its precursor agreement, Safe Harbor—has already said that he might challenge the deal with his pressure group NOYB.
“At first sight it seems that the core issues were not solved and it will be back to the CJEU [Euopean Court of Justice] sooner or later,” Schrems said in a statement published by NOYB.
Data-transfer critics aim at mass surveillance
A big problem with Biden’s executive order and the Trans-Atlantic Data Policy Framework itself, according to Schrems and other critics, is that it does not adequately address mass surveillance by US intelligence agencies.
The executive order says that it requires US intelligence activities be conducted “only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.” But, while EU law also calls for proportionate surveillance, there is no indication that US mass surveillance will change in practice, NYOB said.
In addition, while Biden’s order requires the US Justice Department to establish a Data Protection Review Court to address complaints about surveillance, it is not an “actual court,” but rather a body in the US government’s legal branch, according to NYOB.
NYOB also pointed out that an executive order is not law, but a directive from the US president to the federal branch of government.
The American Civil Liberties Union (ACLU) lobby group agrees.
“The problems with the U.S. surveillance regime cannot be cured by an executive order alone,” said Ashley Gorski, senior staff attorney with the ACLU National Security Project, in an ACLU statement. “To protect our privacy and to put transatlantic data transfers on a sound legal footing, Congress must enact meaningful surveillance reform. Until that happens, U.S. businesses and individuals will continue to pay the price.”
Echoing commnents made by critics of the new data pact, Tash Whitaker, a UK-based consultant on global compliancy issues, said that the agreement is unlikely to fulfil the requirements of an adequacy agreement. “In particular, bulk surveillance will likely continue as is, regardless of any changes to the wording in the new executive order,” Whitaker said. “In addition, there is a need for judicial redress for data subjects within domestic law. The executive order suggests that this happening by referring to a ‘Data Protection Review Court’.”
Why businesses want a new Privacy Shield
Businesses want a new data-transfer agreement to go into effect to cut down on laborious legal negotiations currently required to conduct cross-Atlantic data transfers, to help ensure that they are doing so in a way that meets EU standards, and avoid enforcement action by EU Data Protection Authorities (DPAs)—independent public authorities that handle complaints related to violations of the EU’s the GDPR—according to Lartease Tiffith, executive vice president for public policy at New York-based trade group Interactive Advertising Bureau (IAB).
In the absence of Privacy Shield or a similar agreement, companies use so-called standard contractual clauses to confirm that data transfers are done in accordance with GDPR, Tiffith noted. “The problem with that is that they are very laborious—I wouldn’t even call them standard contractual clauses because in some ways you have to negotiate every single one of them, so standard is probably a misnomer.”
Almost 70% of the more than 5,000 US companies that had signed up for Privacy Shield are smaller firms that don’t have the resources to negotiate multiple contracts with all their data providers, and it’s also a burden for large companies, Tiffith said.
The idea behind Privacy Shield and the new framework is that, once companies self-certify that they adhere to the approved guidelines, they no longer have to establish individual data-privacy contracts with every supplier, Tiffith said.
“The other consideration is that even with the standard contractual clauses, companies are subject to DPA enforcement, if they find you don’t have a sufficient clause or it didn’t cover everything it should,” Tiffith said.
Legal challenges to data transfer rules expected
Tiffith said Biden’s executive order was a step in the right direction, setting the stage for a final agreement, and stressed that data flows are crucial for the mutual development of medical, cybersecurity, and other technologies, as well as media, advertising and consumer goods.
Even so, considering the early criticism of the order, “there will be legal challenges” to the agreement, Tiffith conceded.
Armstrong, the Cordery compliance lawyer, agreed, cautioning businesses about taking encouraging words from US and EU officials to heart. “There’s too much at stake for businesses to rely on those words of comfort especially given the issues which remain with data transfer and the likely challenges,” Armstrong said.
As a result of the EU approval process and possible challenges, the new scheme is bound to be delayed and it’s unlikely the order will come into effect until late spring 2023 at the earliest, Armstrong said. Even then, he said, most organizations will still want to regard it as a temporary deal while they continue to work on other compliance measures, in particular doing double due diligence on the organizations they are sending data to and the measures in place in that jurisdiction.
“All in, it is possible that the US does get some sort of EU adequacy off the back of this, but it will likely be short lived as the lobbyists will be challenging it in court faster than you can say GDPR,” Whitaker said.