Third Time’s the Charm, According to the EU-U.S.’s Pact on Data Sharing

The European Commission, responsible for proposing and enacting the European Union’s laws and policies, recently announced a data transfer agreement with the U.S. where businesses can transfer data from the EU more securely and comply with the EU’s data privacy laws. The EU-U.S. Data Privacy Framework, abbreviated as DPF, aims to have data “flow safely between the EU and the U.S., without having to put in place additional data protection safeguards.” This is not the first data privacy pact that the U.S. and the EU have agreed upon to enact as there were two previous iterations of the act that had been revoked and forced to be revised. However, EU justice commissioner, Didier Reynders, is confident that this 3rd iteration, dubbed the “EU-U.S. Data Privacy Framework,” will last, unlike its predecessors.

Privacy Shield: The DPF’s predecessor

Before this data privacy announcement, many companies were treading on unsteady grounds as they were given the two choices of either having additional costs to “process and store user data locally or withdraw their business from the bloc together.” These costs were not simply monetary, but also left many companies in “legal limbo” as they were unsure about their compliance as the 2nd iteration—the “Privacy Shield” framework—was struck down.

In early 2022, social media giant Meta stated that it may have to resort to shutting down its platforms, Instagram and Facebook, if they cannot transfer user data back to the U.S. in its annual report. Meta explicitly referenced the lack of an approved data transfer framework between the EU and the U.S. in its report: “If a new transatlantic data transfer framework is not adopted or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe.” Meanwhile, Microsoft resorted to storing European user data locally to ensure their compliance with the EU’s privacy rules in 2021.

The destabilizing effects of the Privacy Shield being struck down were not exclusive to tech companies as a reported number of more than 5,000 businesses were certified with the Privacy Shield. For instance, human resources departments may have to send information about European citizens overseas or access such information remotely—and they were unsure of what can be deemed as compliant with the dismantling of the Privacy Shield. “Without a reliable legal framework, companies that transfer data across the Atlantic have faced confusion, higher compliance costs, and challenges for EU-U.S. business relationships,” says Caitlin Fennessy, the former Privacy Shield director for the U.S.

Companies have attempted to resolve the legal limbo they were in by various methods, going as far as “using the contractual clauses between businesses” but to no avail due to its complex implementation. And so, the arrival of the DPF gave rise to many U.S. companies feeling more at ease with its management and transfer of European user data.

Schrems II Ruling: The Start of Revitalized European Data Privacy Laws

However, it is not to say that the DPF and its predecessors received a positive reception from European citizens as well. In fact, the Safe Harbour Agreement—the original data privacy pact— was introduced in 2000 and one of its primary aims was the same as the DPF: to allow U.S. companies to transfer European users’ data more easily between the U.S. and Europe while complying with EU regulations.

However, Austrian lawyer and privacy activist Max Schrems filed a lawsuit against Facebook in Ireland—Facebook’s European headquarters—alleging that Edward Snowden’s whistleblowing of the NSA (National Security Agency) on U.S surveillance indicates that the U.S. has given the EU no reason to believe their data protection measures. Schrems’ lawsuit was not merely aimed at Meta, but also other companies that transferred European citizens’ data to the U.S. without clarifying the data protection standards they implemented.

In 2015, Schrems’ lawsuit eventually reached the European Court of Justice (CJEU) where the Court had ruled that the Safe Harbour Agreement was invalid and did not “afford an adequate level of protection of personal data.” The Safe Harbour Agreement was deemed invalid for a multitude of reasons: not including a statement that limits “interference by the authorities in the right to privacy for the data,” the access of “personal data and process them… beyond what was strictly necessary for the protection of national security,” and not allowing affected people to “have a right to access their personal data to rectify or eliminate them.”

The 2nd iteration, the “Privacy Shield,” was launched as a replacement to the Safe Harbour Agreement with supposedly stricter regulations for U.S. companies. However, it also quickly invalidated in 2020 when the European Court of Justice deemed that the U.S.’s data protection practices for EU users do not “satisfy requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.”

Beyond the Schrems rulings, the EU also implemented another data privacy and security law for global organizations that aims to collect EU citizens’ data: the General Data Protection Regulation (GDPR). Dubbed “the toughest privacy and security law in the world,” the GDPR aims to make personal data protection an utmost priority in everything that an organization collecting EU user data does. The GDPR also promotes data minimization where corporations only collect necessary personal information and nothing beyond that threshold, ensuring that organizations do not overstep their boundaries with the type of data collected on people. Accountability is the latest addition of principles to the GDPR, ensuring compliance with all of the GDPR’s key principles and providing a method of record-keeping for potential security breaches.

One of the talking points of the GDPR is its ability for penalizing non-complying businesses financially where “smaller offences can result in fines of up to €10 million or 2% of a firm’s global turnover (whichever is greater).” An instance of this is the $1.3 billion fine imposed on Meta by the Irish DPC for transferring personal data to the U.S. via the Standard Contractual Clauses (as an alternate measure to the striking down of the Privacy Shield), ultimately breaching the GDPR’s guidelines. The EU has taken unprecedented measures to protect its citizens’ data and affirm their right to privacy.

The creation of the DPF

With the launch of GDPR and the Schrems rulings, the EU agreed with the U.S. to create another iteration of the Privacy Shield in March 2022—2 years after the landmark ruling that invalidated the Privacy Shield. When the DPF finally launched in July 2023, EU Commissioner Didier Reynders attempted to convince the public that it is not merely a “copy/paste of earlier (failed) transfer mechanisms, but ‘a very different system.’ Reynders continued to assert that the EU had used the feedback they were given to finalize the DPF that is fully compliant “with the conditions set in the ruling of the EU’s highest court.”

The DPF includes various obligations for both the data importer and the intelligence agencies, attempting to differentiate itself as a superior alternate to its previous iterations. To be certified by the DPF, data importers must be willing to subject to regulation by the U.S. Federal Trade Commission (FTC) or the U.S. Department of Transportation. Noted by law firm Taylor Wessing, should these U.S. businesses additionally want to be accepted by the U.S Department of Commerce, they must adhere to 7 principles:

  • Notice Principle: to have transparency on their data processing
  • Choice Principle: to grant users the ability to opt-out when their personal information is disclosed to a 3rd party or used for any other purpose(s) than the original purpose of collection
  • Accountability for Onward Transfer Principle: to accept responsibility for onward transfers
  • Security Principle: to ensure security on the personal data that is collected
  • Data Integrity and Purpose Limitation Principle: processing only necessary and relevant user data
  • Access Principle: to grant data subject rights
  • Recourse, Enforcement, Liability Principle: to enable effective legal protection on user data

Beyond the principles above, Taylor Wessing also states the DPF also has additional principles and special guidelines for other types of data such as medical research or journalist activities. U.S. businesses must renew their certification annually as well.

The obligations that U.S. intelligence agencies have to the DPF are much more stark compared to its predecessors. The DPF relies on an Executive Order, a “signed, written, and published directive from the President of the United States that manages operations of the federal government.” Meanwhile, the Privacy Shield relied on a President Policy Directive which does not have the same amount of weight as the Executive Order “has likely more force and cannot be secretly repealed.” From making the DPF an Executive Order, the U.S. has made itself quite clear in terms of its authorities acting accordingly to what was stated in the DPF when accessing personal data from Europe. In addition, the U.S. intelligence agencies are only allowed to conduct mass surveillance in “exceptional cases,” limiting their activities to cases relevant to the Executive Order. The DPF also introduced an independent review procedure when an EU citizen made a complaint against U.S. companies for “suspected unlawful processing of their data by intelligence agencies.”

Legal challenges for the DPF

Even though the DPF was recently launched, it already has met a lot of backlash from privacy campaigners who state that it may be re-examined by the European Court of Justice within months. One particular criticism of the DPF is that ever since the Privacy Shield has been struck down in 2020, U.S. surveillance powers have not changed for the better as they did not strike down FISA 702—a statute that collects foreign users’ data from U.S internet service providers—and create any safeguards for foreigners’ data. And so, the heart of the problem remains for the DPF as the EU’s strict regulations on data privacy laws attempt to reconcile with the U.S.’ track record of mass surveillance.

Following the announcement of the DPF’s launch, Schrems and his data privacy organization, nyob (None of Your Business), argues that the DPF is “largely the same as the Privacy Shield that failed to pass with the EU judges.” As the U.S. agrees to have “proportionate” data use in its agreement with the EU in the DPF, Schrems is skeptical of the U.S.’ definition of “proportionate” as he states that the U.S. “is not assigning the same definition to the term that EU judges would understand in the Executive Order… where the U.S. now vows its surveillance of foreigners will be ‘proportionate.’

Another aspect of the DPF, the independent review procedure where an EU citizen can file a complaint against a U.S. business for suspected unlawful processing of their data, is also criticized by Schrems and noyb. As the documentation in the DPF calls it a “court” during the said procedure, Schrems notes that it is not referring to a “court of law,” but merely a “partly independent executive body.” And so, Schrems concluded these improvements are ineffective at best: “They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like ‘Privacy Shield,’ the latest deal is not based on material changes but by political interests.”

The future of the DPF

The approval of the DPF, after 2 years of legal limbo, has made U.S. businesses sleep better at night as there are regulations imposed on how to transfer EU users’ data safely to the U.S. However, for critics, this ongoing battle for privacy against U.S. mass surveillance and collection of their data remains contentious.

While lawmakers take years to revise the data privacy pact’s policies, U.S. businesses can continue to flourish as their method of processing EU data can be through Standard Contractual Clauses. Meta continued to transfer EU users’ data through Standard Contractual Clauses during the legal limbo following the Privacy Shield’s end, despite a decade’s worth of complaints. After being ordered to stop exporting EU users’ data following the breach, they continued to ship EU users’ data despite the law deeming it to be “unlawful.”

Schrems’ organization, noyb, deems this tedious process as a “legal ping pong” as all of the actors from the lawmakers to the U.S. businesses attempt to shift away from responsibility and accountability for the unlawful collection and transfer of EU citizens’ data. With that in mind, Reynders cautiously calls for accountability from these U.S. tech companies on their compliance with the DPF: “It will be for the companies to show that they’re in full compliance with the GDPR [General Data Protection Regulation].”

Now that the DPF has been launched, the attention will be on two things: whether the DPF does what it sets out to do—reforming the data transfer process between the Atlantic Ocean—and if these U.S. businesses and government will comply for good.