.svg)
Although the new EU-U.S. "in principle" agreement is a significant step to enabling transatlantic data flow, there is still very little known about the specifics, leaving experts wondering whether the new framework will fall short of addressing EU concerns about surveillance and privacy.
Last week, the United States and the European Union announced they had agreed in principle on a new Trans-Atlantic Data Privacy Framework that will allow businesses to share data freely between the two economies.
The new framework aims to address concerns brought forward by the Court of Justice of the European Union (CJEU) in July 2020 concerning U.S. surveillance laws that allow American intelligence agencies to target non-U.S. persons but without giving EU citizens actionable rights to challenge this exercise in court.
Policymakers have been in talks since then, trying to negotiate a new agreement that brings U.S. data protection rules up to par with the EU's General Data Protection Regulation (GDPR).
Leaders of the two economies now say the U.S. has committed to implementing new safeguards to ensure that intelligence activities are "necessary" and "proportionate", which will ensure the privacy of EU personal data.
The U.S. will also set up a new two-tier redress system that will investigate and resolve complaints of Europeans, which includes the creation of a Data Protection Review Court.
Little known so far
Despite these changes, privacy experts are largely sceptical of the ability of the new framework to address Europeans’ concerns.
For instance, Max Schrems of campaign group None of Your Business (NYOB), whose lawsuits led to the invalidation of the last two data-sharing frameworks, harshly spoke out against the new agreement, calling it “lipstick on a pig".
“What NOYB hears is that the U.S. is not planning to change its surveillance laws, but only foreseen executive reassurances (using EU language like ‘proportionality’),” Schrems said, adding “it is unclear how this would remotely pass the test by the CJEU, as U.S. surveillance was already held not to be ‘proportionate’ by the CJEU”.
Although others are taking a more moderate approach, acknowledging the agreement is a significant step, there is still a lot of unknown about the actual framework.
“This is a step forward. It is a new announcement made on the political level. It does bear some significance but we must wait and see what else comes, what the concrete framework would actually look like,” Rie Aleksandra Walle, privacy specialist and founder of NoTies Consulting, told VIXIO.
Although there has been a lot of hype about the EU and the U.S. having a data transfer agreement in the media, there are very few specifics known about the actual framework yet, according to Walle.
Privacy experts understand that the deal covers around 95 percent of the new framework, “but it is always the last percent that takes the longest time and at this point, we do not know what’s coming”, Walle said, adding that it is unclear whether there will be any changes to the actual surveillance laws.
“Unless the U.S. actually changes their surveillance laws, which were a key issue in the Schrems II ruling, I'm afraid a new framework won't address the CJEU concerns and we'll be looking at another round in the courts,” she noted.
Despite political pressure to increase EU-U.S. collaboration, Schrems stressed it is "regrettable that the EU and U.S. have not used this situation to come to a 'no spy' agreement, with baseline guarantees among like-minded democracies”.
He also warned policymakers that NOYB will bring any new agreement that does not meet the requirements of EU law back to the CJEU.
Next steps
Following the preliminary announcement, the U.S. government and the European Commission will now translate this arrangement into legal documents. These texts will need to be adopted on both sides of the Atlantic to put in place the new framework.
To that end, the U.S. will adopt its commitments in the form of a presidential executive order, which will be the basis of the European Commission’s assessment in the future adequacy decision.
This means that President Joe Biden will act on this deal without any changes required by Congress.
However, it remains to be seen whether it will be sufficient to allay the CJEU’s concerns as its 2020 judgment requires either guarantees in law, which can only be adopted through Congress, or technical supplemental measures recommended by European authorities, said Gary LaFever, CEO of Anonos.
This, for example, includes embracing statutory pseudonymisation to enable reconciliation of the tensions between data protection and processing utility, according to LaFever.
There are also concerns that even if the new treaty is in place, data protection authorities from all 27 EU member states would be legally obligated under the CJEU decision to force companies to suspend transfers if there is not an essentially equivalent level of protection in the U.S. as there is in the EU, notwithstanding what the politicians say, LaFever stressed.
