On October 7th 2022, President Biden signed an executive order to implement the European Union-US Data Privacy Framework. This framework is hoping to replace the previous Privacy Shield that was struck down in 2020 for GDPR violations.
Unfortunately this order does not seem promising. At first glance issues such as concern regarding EU citizens ability to redress identified violations, have been addressed by this new framework. Upon further inspection however, the executive order appears to be replicating the failings of its predecessor. Is the Privacy Shield 2.0 destined to share the fate of its predecessor?
Why is a new framework needed?
The previous privacy shield was struck down as part of the ‘Schrems II’ decision in 2020. This was a case brought by the Austrian privacy activist Max Schrems that claimed the Privacy Shield framework was insufficient to protect EU citizen personal data from US security agencies. The EU courts agreed, striking down the Privacy Shield and revoking its adequacy decision. An adequacy decision allows the free transfer of EU citizen data to non-EU member states. Schrems II became a landmark ruling by the highest EU court that confirmed that the US was not an adequately secure data partner under the terms of the GDPR and resulted in the revocation of the Privacy shield data transfer agreement. This meant that any transfers of EU citizen data to the US has been termed a ‘restricted transfer’.
Since then, the US government and EU officials have attempted to instate a new transfer mechanism that would enable an adequacy decision. This executive order comes some 7 months after the US and EU’s joint announcement of these plans.
However, upon examination of the executive order it appears that many of the same issues of Privacy Shield 1 are unlikely to be addressed. This would result in the same situation as the previous framework: the CJEU ruling that the Privacy Shield is inadequate for safe transfers.
The Issue of Proportionality
One of the primary issues that privacy activists have identified with the executive order is the ambiguity of terminology. The order mirrors the GDPR’s terminology when asserting that the proportionality and necessity of processing would be assessed by US security agencies. However, there is no commitment to this ‘proportionality’ and ‘necessity’ matching the EU requirements. There is also no commitment to establishing a similar framework to the proportionality test employed under the GDPR.
This issue is compounded by the continuation of ‘bulk surveillance’ that is referred to within the document. As noted by NOYB (None of Your Business) if ‘proportionality’ was to have the same meaning, the US would have to fundamentally limit its mass surveillance systems to comply with the EU understanding of “proportionate” surveillance.
Therefore it is likely that this terminology was included to appease the CJEU rather than actually fit the requirements for adequate protection.
Issue over Redress Mechanisms
Much of the focus of the executive order appears to be on establishing various mechanisms to redress perceived US non-compliance. The document makes multiple references to ‘review[ing]’ and ‘redress[ing]’ issues raised by EU citizens.
However this redress mechanism appears convoluted at best and an impediment to actual justice at worst.
Of primary concern is the various steps that EU citizen’s will have to follow to redress non-compliant use of their data. Firstly, users will have to raise issues with a national body in the EU, who will in turn raise the issue with the US government. The US government will then follow a two step procedure, with the first step being a review by an officer under the Director of National Intelligence and a second step being a “Data Protection Review Court”. However, this will not be a “Court” in the normal legal meaning of Article 47 of the Charter or the US Constitution, but a body within the US government’s executive branch. Finally, a decision will be made as to whether there was no violation or if it has been remedied.
Ultimately this means that EU citizens will not be able to identify whether or not they are under US government surveillance.
The Requirements for USA Businesses
Of particular note is the fact that the EU commission has not requested that the Privacy Shield principles mirror those of the GDPR. This means that US businesses processing EU citizen data do not have to comply with GDPR requirements, such as identifying a lawful basis for processing.
This represents a major departure from the data protection levels of the GDPR and should likely jeopardize any attempted adequacy decision.
Take the example of consent and website cookies. Under the GDPR explicit consent must be provided before non-essential cookies are placed on a users device. There is no requirement to follow that in the Privacy Shield 2.0. Instead it appears that US businesses will only have to issue users with an option to ‘opt-out’. This does not meet the GDPR requirements for safe processing.
What comes Next?
The EU Commission will seek to use the new Privacy Shield 2.0 mechanism to justify the reinstatement of the United State’s adequacy deal. However as demonstrated, it is unlikely that this mechanism will pass the CJEU as it stands. Although there is the potential for this mechanism to be updated to meet further GDPR requirements, this is unlikely. Indeed, both the US government and EU commission appear to be attempting to rush through Privacy Shield 2.0 to free up the ‘$7.1 trillion EU-U.S. economic relationship’.
This failure to learn from the mistakes of the previous Privacy Shield is likely to result in the repetition of its predecessors fate. Political ambition once again appears ill-matched for the realities of data subject privacy.