The European Union and US have reached an in-principle agreement on EU-US data transfers, to replace the defunct Privacy Shield framework – but the deal still faces a lot of legal uncertainty.
European Commission president Ursula von der Leyden and US president Joe Biden announced the EU-US data transfer deal on Friday at a press conference in Brussels.
The deal comes almost two years after the Court of Justice of the EU (CJEU) scuppered the Privacy Shield agreement in its judgment on the Schrems II case. The court ruled US national security laws meant the rights of EU citizens to privacy could not be guaranteed under the Privacy Shield framework.
This new agreement aims to remedy this, by requiring that any data collection by US intelligence agencies is “necessary and proportionate”, and with the establishment of a Data Protection Review Court, as well as new procedures for intelligence agencies.
“EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed,” said a White House fact sheet on the agreement.
While Biden and von der Leyden were upbeat about the new EU-US data transfer framework, it faces a difficult path ahead. The first step is to translate the principles of the deal into legal language, which will take months – an equivalent agreement with South Korea runs to 122 pages of dense text, while the agreement with the UK is 93 pages long.
‘Lipstick on a pig’
Once the final framework has been agreed, the next challenge is likely to come from Max Schrems himself, slayer of the Privacy Shield deal. Schrems’ NOYB group described the new deal as “lipstick on a pig”.
“We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move,” said Schrems in a statement.
“The final text will need more time, once this arrives we will analyse it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision,” he added.
One of the main issues could be the framework’s lack of legislative underpinning at the US end; all the new safeguards will almost certainly be enacted by executive orders, which can be undone at any time. Another may be the extent to which the framework’s Review Court has any real power to prevent surveillance – a long-standing issue with the US’s FISA courts.
The EU, US, and the world’s largest IT vendors are all eager for an agreement, along with companies across the EU who want an end to the current uncertainty. But there may still be months, if not years, of legal wrangling ahead before the EU-US data transfer issue is settled.