Subscriber Only

EU-US data transfer deal faces same privacy issues that floored previous accords

Karlin Lillington: ‘In principle’ data protection deals do not have history on their side

A major US-EU announcement last Friday was drowned out by the noise of a thousand opinion pieces being hastily typed, after US president Joe Biden's off the cuff comments on Saturday about Russian leader Vladimir Putin.

The event on Friday was far less attention grabbing, but (potentially) momentous. During a joint press appearance with Biden and European Commission president Ursula von der Leyen, the two stated that the United States and the European Union had come to a major agreement "in principle" on a replacement for the transatlantic data transfer agreement Privacy Shield, which was found inadequate in a major 2020 European Court of Justice (ECJ) decision (the so-called Schrems 2 ruling).

Von der Leyen and Biden offered no detail, but the announcement was startling because US-EU negotiations have been bogged down ever since the ECJ reaffirmed a position taken in the first Schrems judgement in 2015.

This is, that the US remains unable to guarantee that transferred European data will be protected to EU standards, primarily due to the secretive data-grabbing powers of US surveillance agencies, and a generally weak US data protection environment.

Data flows are a central component of modern business, not just for the big technology and social media companies, but for thousands of small- to medium-sized businesses, too. Biden said data transfers “help facilitate $7.1 trillion in economic relationships with the EU.” Enabling easy, compliant transfers has been a central plank of EU-US business policy.

But the ECJ has thrown out two consecutive agreements – Safe Harbour with Schrems 1, and Privacy Shield with Schrems 2 – on the basic points noted above.

Von der Leyen stated that the new, mystery Trans-Atlantic Data Privacy Framework “will enable predictable, trustworthy data flows between the EU and the US, safeguarding privacy and civil liberties.”

Hmm. Seven years after Schrems 1, they’ve cracked this resistant data protection and privacy nut? So the announcement would have us believe. Which begs the question of why the need to announce something this important, dressed only in a flimsy “in principle” garment?

Contract templates

Some have suggested this was to express an EU-US show of unity to Russia, but a data transfer agreement seems a bit off-subject, not least when there's no data protection agreement with Russia. The more likely impetus is the Irish Data Protection Commission's (apparent) decision last month to invalidate the last remaining method for transatlantic data transfers – using contract templates known as Standard Contractual Clauses (SCCs). The DPC told this to Facebook/Meta as part of resolving an ongoing Schrems complaint, but if Meta can't use them, neither can anyone else.

Anyone who thinks companies weren't therefore facing data Armageddon in very short order hasn't been paying attention to the ECJ's willingness to stand firm on protections in the General Data Protection Regulation (GDPR).

“In principle” data protection agreements on a complex issue split by fundamental policy differences do not have history on their side. Privacy Shield was announced in the same vague way, to a similarly dubious response. Back then, it was to meet a negotiations deadline. Critics anticipated that many messy data protection ends would be unceremoniously tidied away in order to get the agreement over the line.

And so it came to be. Campaigner Max Schrems memorably described Privacy Shield as "lipstick on a pig". Anyone with a serious interest in data protection could see the holes in Privacy Shield, created by the lack any remotely equivalent US federal data protections and the entire US surveillance infrastructure, given significant powers ever since the 9/11 attacks.

The US eventually released aformal statement on the latest kind-of agreement later on Friday. We were still in a detail-free zone, and what was said didn't offer any indication that major problems were resolved.

The US Congress still hasn't grappled with a federal data protection law. Friday's promise that some surveillance agency roadblocks would be addressed by more safeguards and, it seems, presidential executive orders only beg further questions. It's not clear how executive orders, rather than lawmaking from Congress, can address fundamental data protection shortfalls in law.

Secretive access

And then there is the untimely awkwardness of a recent, significant US Supreme Court decision, FBI v Fanzaga. Taken just two weeks ago, it backs the agency’s secretive access to, and use of, personal data.

This fresh case law from America’s highest court suggests it will be difficult and costly for EU citizens to challenge agencies with any mechanism proposed in the new agreement.

What Friday’s gesture towards an agreement probably does is reset the clock, enabling transfers to continue in a look-the-other-way policy limbo, until the actual agreement is confirmed and then, inevitably, challenged over time in the ECJ. This was the dubious route taken with Privacy Shield, which limped along for years before falling in Schrems 2.

My guess is we’re stuck with whatever eventually arrives in the Trans-Atlantic Data Privacy Framework until some future Schrems 3, unless the US at last brings about meaningful change to its own flimsy national data protection infrastructure on behalf of its own citizens, and not just the EU’s.