It was billed as a giant breakthrough. In July, Washington and Brussels overcame European privacy concerns about US spying to sign a new Data Privacy Framework. A large majority of EU governments voted in favor of the agreement, twenty-four votes to three.
The new deal attempts to address EU’s privacy concerns by limiting how US intelligence agencies can obtain information about EU citizens. President Joseph Biden signed a new Executive Order, establishing a new regulatory oversight board that will allow Europeans to seek redress for potential privacy violations.
But celebrations should be put on hold. The European Court of Justice rejected two previous transatlantic data deals. It now looks like the European court will review the agreement faster than initially expected.
The stakes are enormous. Transatlantic data transfers represent the lifeblood of Microsoft, Facebook, and other tech companies. Their advertising, marketing, payroll, and other services depend on transferring data across the Atlantic. Without a deal, European privacy regulators threatened to force companies, most prominently Meta, to cut off data transfers to the US, citing the previous 2020 EU court ruling.
Europe’s judges could again exercise a veto. French centrist parliamentarian Philippe Latombe has moved to suspend the new Data Protection Framework before its formal acceptance. On September 6, he filed two complaints to the Court of Justice, the first for suspension, the second to nullify the agreement’s text. According to Latombe, the privacy protections included in the new Data Privacy Framework remain insufficient. US collection of data from EU citizens continues to create a “personal prejudice” in violation of the General Data Protection Regulation (GDPR) and the EU Charter of Fundamental Rights.
A broad spectrum of Europeans, lawyers, academics, and data protection officers share these concerns, Lacombe says. Privacy-sensitive German politicians are among the most vocal. Petra Sitte, technology policy spokesperson for the German Left Party’s parliamentary group, judges US privacy protection as inadequate. For free market-minded liberal Free Democratic Party parliamentarian Maximilian Funke-Kaiser, the new deal fails to go far enough to deliver legal certainty since the new Privacy Shield fails to end the gap between the high level of protection of personal data in Europe and the lower level in the US.
Additional legal challenges look certain. Austrian activist Max Schrems has announced that he will attack in autumn. His two previous lawsuits, “Schrems I” and “Schrems II,” nullified the former USA-EU data transfer agreements: the 2015 Safe Harbor and the 2020 Privacy Shield. Shrems has already denounced the “third attempt” for a “stable agreement on EU-US data transfers” as putting “lipstick on a pig.”
If the EU court rules against the new data deal, US and EU companies will have to continue using “standard contractual clauses” to transfer data. These clauses oblige US counterparts to provide reasons for data processing and safeguards for data deletion. European data protection agencies are also skeptical about them. In May, Ireland’s agency ruled that social media giant Meta’s contracts were illegal and issued a €1.2 billion fine.
Some influential US lawyers believe the new privacy framework could pass European judicial muster. It establishes a new US Data Protection Review Court that will allow European citizens to file claims if they believe their data was collected in violation of GDPR rules. Peter Swire, a Georgia Tech professor who is a leading voice on privacy and cybersecurity law, expressed confidence that the new “framework meets both EU and US legal requirements.”
Whatever happens in the European court cases, expect continued tensions. The US has failed to pass a national privacy law. The US also insists on extraterritoriality, empowering its authorities to access data generated outside the US borders.
Both positions confront deep-held European legal and cultural beliefs. The European conception of protecting personal reputation clashes with the US insistence on unfettered surveillance.
No administration in Washington will agree to reduce the powers of US intelligence to protect national security. On the other side, the European civil society will not agree to weaken the continent’s privacy protections without putting up a fight.
At best, these differences can be managed, would each block agrees to concessions. At worst, they will cause endless legal disputes.
Théophane Hartmann is a Paris-based technology reporter at Euractiv. Alina Clasen is a Berlin-based technology reporter at Euractiv.
*This article has been edited to account for a more accurate description of Mr. Funke-Kaiser’s views.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.