Since the ECJ declared the ›Safe Harbour‹ agreement invalid in October 2015, transatlantic data traffic has been fraught with significant hurdles and uncertainties. With virtually all European companies relying on data processing by US service providers, the demand for a legally secure and sustainable agreement between the EU and the US is omnipresent. American parent companies in particular hope that data transfers to the US will be simplified in the future. The latest hope is the ›Trans-Atlantic Data Privacy Framework‹ (TADPF), which is intended in particular to limit access by US intelligence services and guarantee the protection of EU citizens’ personal data. The promising Executive Order 14086 by US President Joe Biden dated October 7, 2022 is supposed to provide new guarantees for this. However, it is highly questionable whether this will provide the US with the ›equivalent protection in substance‹ required by the ECJ.
On May 11, 2023, the EU Parliament has now submitted a resolution proposal in which it criticises the efforts made by the US to date. The knock-out criterion is that the rights of EU citizens with regard to the processing of their personal data by US companies are still not equal to the rights of US citizens. In particular, there are still no effective legal remedies for EU citizens and a lack of transparency with regard to the relevant data protection regulations.
I. Background: The GDPR in international data transfers
While the General Data Protection Regulation (GDPR) provides a high level of protection for personal data in the EU, this level of protection can be undermined in the case of data transfers to, or remote access from, third countries (i.e. countries outside the EU or EEA). The reason for this is that different national laws and international obligations apply in the third country, which cannot be reconciled with the provisions of the GDPR and result in a lower level of protection. In the US in particular, the authorities have extended access rights. As a consequent thereof a company might have to disclose personal data, even though this is prohibited to do so under the GDPR. Against this backdrop, the GDPR requires that international data transfers meet additional requirements (Art. 44 GDPR et seq.).
For individual countries, the EU Commission has assessed the level of protection in that country and concluded that it is equivalent to the level of protection in the EU. In such cases, a so-called ›adequacy decision‹ (Art. 45 GDPR) has been issued, based on which personal data can be transferred in a simplified manner. A list of these third countries can be found here - the USA is not included.
II. The Failed: ›Safe Harbour‹ and ›EU Data Privacy Shield‹
Although there have been two agreements in the past that were intended to simplify data transfers to the US, both were declared invalid by the ECJ: First, in October 2015, the ECJ declared the ›Safe Harbour‹ agreement ineffective (judgment of 6 October 2015, Case C-362/14 ›Schrems I‹), and in July 2020, its successor, the ›EU Data Privacy Shield‹ (judgment of 16 July 2020, Case C-311/18 ›Schrems II‹), met the same fate. The ECJ's main reasoning was that the agreements did not provide sufficient legal protection against surveillance of EU citizens by US authorities and therefore did not sufficiently protect the fundamental rights of the EU citizens concerned. Against this background, on May 20, 2021 the EU Parliament called on the European Commission not to adopt a new adequacy decision for the US unless it will create an adequate legal framework.
III. Current developments – the EU Parliament speaks plainly!
Following a joint meeting on March 25 2022, EU Commission President von der Leyen and US President Biden announced that work is in progress and that a new EU-US agreement is being drafted - the ›Trans-Atlantic Data Privacy Framework‹ (TADPF).On October 7 2022, Biden signed Executive Order 14086, which introduced safeguards and established a body for EU citizens to submit complaints. The EU Commission then initiated the procedure to adopt an adequacy decision for the US on December 13, 2022.
However, hopes for a timely adoption of the TADPF may now be disappointed: The EU Parliament criticised the draft on May 11 2023, signalling that its adoption - and with it the simplified transfer of data to the US - is likely to be pushed back further. In its resolution proposal, the EU Parliament clarified that Executive Order 14086 partly contains ›significant commitments‹. At the same time, however, it noted that sufficient guarantees had not yet been put in place to ensure a ›substantially equivalent level of protection‹ for EU citizens from the US authorities. The EU Parliament therefore considered Executive Order 14086 to be insufficient:
The EU Parliament welcomed the new possibility for EU citizens to challenge the processing of their data by US authorities in a Data Protection Review Court. At the same time, however, it criticised the fact that this court and the corresponding procedure do not meet constitutional requirements: The court is part of the executive body, and its judges are appointed for only four years. Above all, the US president can dismiss judges at any time and overrule the court's decisions - even in secret. The independence of the judges is therefore not guaranteed. In addition, the court may at any time classify decisions as secret and thus deny access to applicants. Finally, no claim for monetary can be filed before the court.
The EU Parliament also argued that the ban on US authorities collecting mass data on US citizens living in the US still does not apply to EU citizens. Such mass government surveillance is unlawful and undermines the trust of EU citizens and European businesses in the digital economy.
On the positive side, the EU Parliament underlined that the European principle of proportionality has now found its way into the assessment of the permissibility of data processing by the US authorities through Executive Order 14086. Nevertheless, the principle of proportionality contained therein is not comparable to that of the EU and is interpreted exclusively in the light of US law - not EU law.
Another problem, identified by the EU Parliament, is that the US President can amend the Executive Order at any time. This applies in particular to the lists of purposes for which personal data may or may not be processed by the US authorities. Associated with this is a significant lack of clarity and predictability in existing data protection standards, as the US President thus has the power to create new legal grounds for data processing. Moreover, the EU does not even need to be informed of such presidential changes.
Finally, the EU Parliament underlines that the US - unlike all third countries for which an adequacy decision has been issued - does not have a federal data protection law.
IV. The EU Parliament hopes for adjustments – so do we!
Although the EU Commission is not dependent on the approval of the EU Parliament and acting rather quickly would speed the process up, the joy over the new agreement could be short-lived if the ECJ puts a stop to it once again. That said, one can only hope that the EU Commission will enter into further negotiations with the US and take adequate steps to address the concerns expressed by the EU Parliament. Only that way a legal framework that guarantees legally secure data transfers to the US can be established. Until then, data transfers to the US require additional safeguards and companies are forced to rely on standard contractual clauses (›SCC‹) or, within a group, binding corporate rules (›BCR‹). For more information on SCCs and Intra Group Data Transfer Agreements (IGDTA), see our blog post from last year.