In the EU-US data transfer and privacy quarrel, the end is not in sight

Third time wasn’t the charm. After Safe Harbour and Privacy Shield both met their maker at the hands of the EU’s Court of Justice (CJEU), a new report predicts that the US’ latest attempt to offer adequate protection to EU citizens and residents when it comes to the transfer of their data could be the next fatality.

The report assessed the new EU-US Data Privacy Framework (DPF) based on a legal ‘fitness check’ that considers the benchmarks established by EU law and the CJEU in judgments like Schrems I and Schrems II.

Any international data transfers deal between the European Commission and third states must strictly conform to EU Treaty principles, while providing persons in the EU with privacy safeguards that are essentially equivalent to those envisaged in the GDPR and the EU Charter of Fundamental Rights. This is what the US was aiming for with Executive Order (EO) 14086, which received the European Commission’s approval following an Adequacy Decision.

However, the DPF falls short for four main reasons.

Firstly, it remains unclear whether it will lead to any meaningful change in the way US intelligence authorities monitor EU citizens. US surveillance instruments such as Executive Order 12333 on foreign signals intelligence information and Section 702 of the Foreign Intelligence Surveillance Act (FISA) will remain in force. These allow US authorities to collect the large-scale electronic communications of non-Americans outside the country for intelligence purposes without individual judicial review.

EO 14086 explicitly authorises bulk collection if intelligence actors are pursuing at least one of six listed ‘legitimate objectives’. These objectives are too broad and could encompass large volumes of data. The DPF is also silent on the increasing use of automated data processing and AI in the US.

Secondly, EO 14096 doesn’t adequately define crucial terms such as ‘bulk collection’. Instead, the EO opted for a definition and scope of ‘bulk collection’ that the CJEU criticised in Schrems II. Data collected for national security purposes is also subject to restrictions and safeguards in the context of international data transfers, in line with the CJEU’s data retention case law.

Thirdly, following the Schrems judgments, EO 14086 introduces the notion of proportionality as a limit to signal intelligence collection. Yet the vast differences between how this principle is interpreted and applied in the EU and the US have gone unaddressed. Under EU law, a balancing exercise is off the table once the ‘very essence’ of a fundamental right is affected by any policy. Even though these standards are not observed stateside, the EO states that proportionality assessments will only exclusively consider US law.

Finally, EO 14086 introduced a novel redress mechanism to provide an effective remedy, a core requirement formulated by Schrems II. However, the Data Protection Review Court (DPRC) – despite its name – doesn’t qualify as an independent judicial tribunal, which is an indispensable condition for a fair trial and the rule of law in the EU legal system. Rather, it’s an administrative body falling under the US Department of Justice and is directly accountable to the President. The so-called judges will review individual complaints in confidential, one-sided proceedings and issue decisions that cannot be appealed.

As highlighted by former Justice Commissioner Didier Reynders to US authorities in June 2023, the legal safeguards the EU expects from third countries are not only the default at EU level but all Member States are also expected to apply them. In fact, the European Parliament has called for more effective enforcement of the EU’s data protection acquis and the rule of law concerning national intelligence authorities. Anyone on EU soil, regardless of their nationality, and whose data is transferred to the EU, is entitled to effective remedies before independent courts – even the European Court of Human Rights.

Nevertheless, as intelligence communities in EU Member States fall outside the scope of the Adequacy Decision and aren’t considered by the CJEU if evaluating data transfers arrangements, the Commission’s assessment must focus on whether these are ‘EU Charter-proof’. Overall, debates over transatlantic data transfer adequacy shouldn’t be a ‘beauty contest’ or a finger-pointing exercise as this could lead to a worldwide race to the bottom.

Despite genuine efforts from negotiators on both sides, key conditions haven’t been fully met. Until US policy lives up to these standards, the protection offered to EU persons in the US cannot yet hold merited trust. The Commission’s Adequacy Decision features crucial gaps that ultimately allowed the EU to greenlight an arrangement that doesn’t completely fulfil the EU’s constitutional requirements.

With the DPF now up and running, we’ll have to wait and see what the CJEU says should a new case question its lawfulness. If that happens, we hope it won’t relent in its quest to ensure EU citizens and residents are subject to the same rights and remedies that they legitimately hold in the EU. This would help to finally relieve a deepening feeling that our private lives are indeed under constant surveillance.

About the Authors:

Franziska Boehm is a law Professor at FIZ Karlsruhe and Karlsruhe Institute of Technology, KIT

Sergio Carrera is Senior Research Fellow and Head of the Justice and Home Affairs Unit at CEPS

Valsamis Mitsilegas is Professor of European and Global Law and Dean of the School of Law and Social Justice at the University of Liverpool.

Julia Pocze is a Research Assistant in the Justice and Home Affairs Unit.