In the EU-US data transfer and privacy quarrel, the end is not in sight

The third time wasn’t the charm. After Safe Harbour and Privacy Shield both met their maker at the hands of the EU’s Court of Justice (CJEU), a new report predicts that the US’ latest attempt to offer adequate protection to EU citizens and residents when it comes to the transfer of their data could be the next fatality.

The report assessed the new EU-US Data Privacy Framework (DPF) based on a legal "fitness check" that considers the benchmarks established by EU law and the CJEU in judgments like Schrems I and Schrems II.

Any international data transfers deal between the European Commission and third states must strictly conform to EU Treaty principles while providing persons in the EU with privacy safeguards that are essentially equivalent to those envisaged in the GDPR and the EU Charter of Fundamental Rights.

This is what the US was aiming for with Executive Order (EO) 14086, which received the European Commission’s approval following an Adequacy Decision.

However, the DPF falls short for four main reasons.

Will EU citizens be better protected from US intelligence monitoring?

Firstly, it remains unclear whether it will lead to any meaningful change in how US intelligence authorities monitor EU citizens.

US surveillance instruments such as Executive Order 12333 on foreign signals intelligence information and Section 702 of the Foreign Intelligence Surveillance Act (FISA) will remain in force.

These allow US authorities to collect the large-scale electronic communications of non-Americans outside the country for intelligence purposes without individual judicial review.

EO 14086 explicitly authorises bulk collection if intelligence actors are pursuing at least one of six listed "legitimate objectives".

These objectives are too broad and could encompass large volumes of data. The DPF is also silent on the increasing use of automated data processing and AI in the US.

Secondly, EO 14096 doesn’t adequately define crucial terms such as "bulk collection". Instead, the EO opted for a definition and scope of "bulk collection" that the CJEU criticised in Schrems II.

Data collected for national security purposes is also subject to restrictions and safeguards in the context of international data transfers, which is in line with the CJEU’s data retention case law.

Trials and tribulations

Furthermore, following the Schrems judgments, EO 14086 introduces the notion of proportionality as a limit to signal intelligence collection.

Yet the vast differences between how this principle is interpreted and applied in the EU and the US have gone unaddressed.

Under EU law, a balancing exercise is off the table once a policy affects the "very essence" of a fundamental right. Even though these standards are not observed stateside, the EO states that proportionality assessments only consider US law exclusively.

Finally, EO 14086 introduced a novel redress mechanism to provide an effective remedy, a core requirement formulated by Schrems II.

However, the Data Protection Review Court (DPRC) – despite its name - doesn’t qualify as an independent judicial tribunal, which is an indispensable condition for a fair trial and the rule of law in the EU legal system.

Rather, it’s an administrative body falling under the US Department of Justice and is directly accountable to the President.

The so-called judges will review individual complaints in confidential, one-sided proceedings and issue decisions that cannot be appealed.

As Justice Commissioner Didier Reynders highlighted to US authorities in June 2023, the legal safeguards the EU expects from third countries are not only the default at the EU level but also expected to be applied by all member states.

In fact, the European Parliament has called for more effective enforcement of the EU’s data protection acquis and the rule of law concerning national intelligence authorities.

Is any of this Charter-proof?

Anyone on EU soil, regardless of their nationality and whose data is transferred to the EU, is entitled to effective remedies before independent courts – even the European Court of Human Rights.

Nevertheless, as intelligence communities in EU member states fall outside the scope of the Adequacy Decision and aren’t considered by the CJEU if evaluating data transfers arrangements, the European Commission’s assessment must focus on whether these are "EU Charter-proof".

Overall, debates over transatlantic data transfer adequacy shouldn’t be a "beauty contest" or a finger-pointing exercise, as this could lead to a worldwide race to the bottom.

Despite genuine efforts from negotiators on both sides, key conditions haven’t been fully met. Until US policy lives up to these standards, the protection offered to EU persons in the US cannot yet hold merited trust.

The Commission’s Adequacy Decision features crucial gaps that ultimately allowed the EU to greenlight an arrangement that doesn’t completely fulfil the EU’s constitutional requirements.

With the DPF now up and running, we’ll have to wait and see what the CJEU says should a new case question its lawfulness.

If that happens, we hope it won’t relent in its quest to ensure EU citizens and residents are subject to the same rights and remedies that they legitimately hold in the EU.

This would help to finally relieve a deepening feeling that our private lives are indeed under constant surveillance.

Franziska Boehm is a law Professor at FIZ Karlsruhe and Karlsruhe Institute of Technology, KIT; Sergio Carrera is Senior Research Fellow and Head of the Justice and Home Affairs Unit at CEPS; Valsamis Mitsilegas is Professor of European and Global Law and Dean of the School of Law and Social Justice at the University of Liverpool; and Julia Pocze is a Research Assistant in the Justice and Home Affairs Unit.

At Euronews, we believe all views matter. Contact us at view@euronews.com to send pitches or submissions and be part of the conversation.