There is a “seven or eight out of 10 chance” that the new EU-US data flows deal overcomes a court challenge, says European Justice Commissioner Didier Reynders.
Providing legal foundations for data flows across the Atlantic Ocean is a transatlantic priority. The European Union’s Court of Justice rejected two previous data transfer deals, ruling that both allowed US intelligence agencies illegal access to European personal data.
At stake is the lifeblood of Microsoft, Facebook, and other tech companies. Their advertising, marketing, payroll, and other services depend on transferring data across the Atlantic. European privacy regulators are threatening to force some companies, most prominently Meta, to cut off data transfers to the US, citing the 2020 EU court ruling.
Earlier this year, US President Joseph Biden and European Commission President Ursula von der Leyen moved to head off this threat. They announced a new “EU-US Data Privacy Framework.” In October, the White House issued an Executive Order detailing how it intends to protect European data privacy. On December 13, the European Commission gave the new legal framework a preliminary endorsement.
But the final decision will come from the European Court of Justice. Max Schrems, the Austrian privacy campaigner responsible for past court challenges, vowed to introduce a new court case, saying “the European Commission just issues similar decisions over and over again – in flagrant breach of our fundamental rights.” In the two previous data pact cases, Schrems successfully argued that the US government fails to offer sufficient protection of EU personal data and that EU citizens lacked the ability to challenge the spying (in EU lingo, ‘redress’).
The new Data Privacy Framework attempts to address both points. Under the Executive Order, US intelligence agencies can only conduct surveillance for reasons deemed ‘necessary’ and ‘proportionate’ to a “validated intelligence priority.” Necessity and proportionality are fundamental principles in both EU and international data privacy law. The Order also instructs the US Privacy and Civil Liberties Oversight Board to review intelligence agencies’ updated digital surveillance policies.
Another key advance concerns redress. A “Data Protection Review Court” housed in the US Department of Justice, as well as a Civil Liberties Protection Officer in the Office of the Director of National Intelligence, will review European complaints. The Review Court will be independent and can issue binding decisions, features that legal scholars believe will bolster its defense in EU courts. At a POLITICO Live event, EU and US negotiators–Bruno Gencarelli and Alex Greenstein, respectively–agreed that the new US framework could survive European court scrutiny.
Yet doubts remain. US intelligence agencies will continue bulk collection, or the gathering of mass amounts of personal data not tied to a specific target, under the framework. US surveillance law experts Elizabeth Goitein and Ashley Gorski predict European courts will deem the practice illegal.
A final court decision will be years away. The European Data Protection Board and a member state committee are expected to greenlight this week’s European Commission adequacy decision in July 2023. Only then can a court challenge be filed.
The EU-US Data Privacy Framework represents a model example of transatlantic cooperation. Officials praise how Brussels and Washington coordinated closely to move from the March agreement in principle to this week’s European Commission draft adequacy decision.
Such unity is missing elsewhere. Europeans are furious about “protectionist” US electric vehicle subsidies. Americans are chagrined over restrictions imposed on US tech firms by Europe’s push for digital sovereignty. Tensions are also high over the EU’s AI Act, Cyber Resilience Act, and recent US export controls imposed on China.
Despite a predicted seven or eight out of 10 probability of success, the data deal remains far from a sure bet. But given the strained state of transatlantic tech relations, these odds look like a rare ray of bright light.
Matthew Eitel is a Program Assistant at CEPA’s Digital Innovation Initiative.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.