EU and U.S. Reach Another Privacy Agreement, and the Threat of Legal Action Continues
Three years after a European Union (EU) court smashed the Privacy Shield that governed the privacy protections of EU citizens by tech companies in the United States, the European Commission announced a new EU-U.S. Data Privacy Framework.
Yesterday’s agreement comes after years of negotiations between the EU, the U.S. Government, and U.S.-based technology companies. The EU announcement said it addressed the issues raised by the court, including the difficult issue of U.S. intelligence and law enforcement use of the data from and about Europeans that tech companies acquire.
The new agreement actually represents the third attempt to address this issue. The original Safe Harbor agreement was invalidated by a European Court in 2015. The commission and the U.S. government then adopted the Privacy Shield agreement, which was struck down in 2020.
In striking down the Privacy Shield, the primary arguments were “that the Privacy Shield data sharing agreement did not provide adequate protections for EU citizens’ and residents’ data nor provide sufficient post-data collection review mechanisms,” and “that an ombudsman position created to review instances of EU citizens’ and residents’ data collection was not independent and had no authority to bind U.S. intelligence agencies to its decisions,” as reported by Security Management.
A key development referenced in the framework document is an executive order issued by U.S. President Joe Biden last year “that requires U.S. signals intelligence activities be conducted only in pursuit of national security objectives; be conducted only when necessary to advance a validated intelligence priority and to the extent and manner proportionate to that priority; and that the activities take into consideration the privacy and civil liberties of all individuals,” according to a different Security Management article.
In addition the executive order established a new Data Protection Review Court in the United States, which the commission noted Europeans can use to petition companies on data privacy compliance issues. The court will have remedial powers.
Companies that collect data on European citizens must certify that they are in compliance with the EU-U.S. Data Privacy Framework. Based on the executive order and the provisions set forth in the framework, the commission “concludes that the United States ensures an adequate level of protection—comparable to that of the European Union—for personal data transferred from the EU to U.S. companies under the new framework,” which is the key finding that the courts used to strike down the previous two agreements.
Both of those cases involved Maximillian Schrems, an Austrian. In fact, the shorthand used to describe the decisions are Schrems I and Schrems II.
When the EU and United States first announced an agreement without releasing any details in October 2022, Schrems expressed skepticism: “The EU and the U.S. now agree on the use of the word ‘proportionate’ but seem to disagree on the meaning of it. In the end, the CJEU’s definition will prevail—likely killing any EU decision again. The European Commission is turning a blind eye on U.S. law again and allowing the continued surveillance of Europeans.”
Now that the details are out, Schrem’s group noyb announced it fully intends to challenge the new agreement in court. “Just like ‘Privacy Shield’ the latest deal is not based on material changes, but by political interests. Once again the current commission seems to think that the mess will be the next commission's problem. …The press statements of today are almost a literal copy of the once from the past 23 years. Just announcing that something is ‘new,’ ‘robust,’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in U.S. surveillance law to make this work—and we simply don’t have it.”