When President Biden signed an executive order to implement a framework to protect the privacy of data flowing between the US and Europe on 7 October, it sparked hope that a major issue facing businesses on both sides of the Atlantic was closer to being resolved. That may turn out to be the case, but reaction in the week since the order was signed suggests there’s still some way to go.
Data flows are vital to the $17trn trading relationship between the US and EU, but issues around privacy safeguards date back to 2000. In that year, the Safe Harbor Framework was established to protect data that was transferred between the two entities. But when Edward Snowden blew the whistle on the PRISM mass surveillance program it sparked a chain of events that led to the EU Court of Justice ruling that Safe Harbor was no longer sufficient protection. This meant the transfer of personal data between the US and EU was no longer allowed.
“The Privacy Shield was the most important legal ground for international data transfer, in particular for small and medium size companies.”
Oliver Süme, technology and IT law specialist
Safe Harbor was replaced in 2016 by a framework called Privacy Shield, but this was struck down after European privacy campaigner Max Schrems, who had brought the case leading to the original ruling, filed a second case. In 2020, in a ruling dubbed Schrems II, the EU Court of Justice struck down Privacy Shield, on the basis that US surveillance programs were neither necessary nor proportionate.
At the time the ruling was announced, more than 5,000 companies were participating in Privacy Shield. The absence of any replacement framework has been a major problem for business, which needs certainty in order to plan properly and operate successfully. Technology and IT law specialist Oliver Süme told a recent podcast hosted by the Internet Infrastructure Coalition that “the Privacy Shield was the most important legal ground for international data transfer, in particular for small and medium size companies”.
Political agreement
The executive order signed by Biden comes after a political agreement the European Commission President Ursula von der Leyen signed early in 2022 on a new data privacy framework, and the October Executive order is intended to follow up on that by ushering in Privacy Shield 2.0.
The International Association of Privacy Professionals has a very good analysis of the new provisions on its website, with staff contributor Caitlin Fennessy concluding that “while companies cannot yet legally rely on that positive assessment of U.S. government access protections, it provides welcome reassurance”.
Süme spoke of the importance of having something in place that was easy to use, and was optimistic that “it will not only stop the situation of legal uncertainty, but… stimulate data transfer and a global data economy on both sides of the Atlantic.”
“The US would have to fundamentally limit its mass surveillance systems to comply with the EU understanding of “proportionate”, which will not happen!”
Dick Roche, former Republic of Ireland minister of state for European affairs
Not all assessments are as positive, however. Max Schrems has already described the order as “deeply concerning”. In an open letter, he draws attention to the fact that the new transfer mechanism is not based on statutory amendments to US surveillance laws and does not provide EU citizens with meaningful opportunities for redress. His advocacy group NOYB has promised to “challenge any final adequacy decision that would fail to provide the needed legal certainty”.
ACLU concerns
Former Republic of Ireland minister of state for European affairs Dick Roche has also urged another look at the new framework, and expresses concern that the European Commission has “endorsed the order enthusiastically”. He points out that the American Civil Liberties Union has concluded the order does not “ensure that people whose privacy is violated will have their claims resolved by a wholly independent decision-maker”, and draws attention to NOYB’s reservations about differences in legal definition of terms such as “necessary” and “proportionate” on either side of the Atlantic.
“Were they on the same page,” he says, “the US would have to fundamentally limit its mass surveillance systems to comply with the EU understanding of “proportionate”, which will not happen!”
It’s expected to take six months for the EU to incorporate the text of the order into its own rules. But another legal challenge – already being talked of as Schrems III – is very likely. Alongside all of this is the question of how the UK, now outside the EU, will fit in. For business, certainty on data protection and transfer looks a long way off.