A new data transfer agreement to facilitate companies safely and legally moving data across the Atlantic has been in the works for nearly two years.
During a week of NATO, G7, and European Council summits in Brussels last month, where Ukraine dominated the agenda, the U.S. and the E.U. revealed a new deal for underpinning digital trade between the two economies. Activists and privacy experts still have major concerns about how vigorous the agreement will be in guarding Europeans from U.S. mass surveillance.
The fact that President Joe Biden and European Commission President Ursula von der Leyen made the announcement in a joint press conference alluded to the significance of the deal, even though, for now, it is only an agreement in principle.
The legal status of data transfers across the Atlantic has been tumultuous.
Safe Harbor, a framework first instituted in 2000, was struck down by the European Court of Justice (ECJ) in 2015 over its lack of protection for European data from mass surveillance by U.S. authorities. Its attempted successor Privacy Shield met the same fate in July 2020.
Since then, data transfers, which Facebook, Microsoft, and many tech giants rely on, existed in legal limbo as officials in the EU and U.S. scrambled to negotiate yet another agreement.
In the interim, companies rely on a series of alternative but complex mechanisms, called standard contractual clauses (SCCs), to keep data flowing. Agreements like this new one are pivotal as the EU only permits data to flow to countries and jurisdictions that have an equivalent level of data protection to Europe.
While it seems the discussions are beginning to bear fruit, for industry and privacy activists alike, the concern is still palpable about whether Europeans’ data will be free from U.S. scrutiny.
The tech industry was quick to welcome the latest agreement in principle. DigitalEurope, a lobby group for Meta, Amazon, Google, and more, said the agreement is necessary for preserving almost €1 trillion worth of EU-U.S. commerce every year.
Director general of DigitalEurope Cecilia Bonefeld-Dahl said in a statement that the details will need to “deliver an agreement that stands the test of time.”
With its predecessors collapsing after legal challenges, building a framework for the long haul will be the ultimate test for this agreement to avoid EU-U.S. data flow falling into disarray again.
At the core of these challenges is surveillance and privacy, going back to the disclosures of Edward Snowden and the revelations of U.S. mass surveillance across the globe.
The European Court of Justice found that both Safe Harbor and Privacy Shield lacked robust mechanisms for ensuring that a European’s data transferred to a server in the U.S. would not be unlawfully caught up in a dragnet.
The court’s findings shined a light on the discrepancies between EU and U.S. privacy rights. Since then, the EU has only strengthened data protection, most notably with the General Data Protection Regulation (GDPR), which provide sweeping rules for safeguarding people’s data. The U.S. has no such law on a federal level.
Privacy activist Max Schrems led the legal challenge against both agreements.
After the Snowden revelations, Schrems first challenged Meta in the European courts over the legality of transferring data to the U.S. The case sought to uncover how a person’s data is treated when it leaves Europe and enters the U.S. The court found that Safe Harbor, the framework Meta was using, wasn’t up to snuff in protecting this data from unlawful surveillance. This ultimately led to the downfall of Safe Harbor and kickstarted this long-running saga.
The Austrian, who has dubbed the new deal “lipstick on a pig,” told the Daily Dot in an email that there remains a “fundamental clash” between the EU and U.S. when it comes to the surveillance question.
He said he expects that it too will collapse under the scrutiny of activists, lawyers, and ultimately the Courts of Justice of the European Union (CJEU).
“Either we (if it is really bad) or someone else will probably bring it back to the CJEU again. This time just much faster than before,” he said.
Schrems is not alone in his assessment.
Estelle Masse, Europe legislative manager at Access Now, said the announcement by Biden and von der Leyen was a “disappointment” as there is still a lack of detail on the meat of the agreement that will “ensure that it is a durable deal and one that would resist a challenge in front of the court.”
Once again, surveillance is the problem.
Both the EU and the U.S. stated that there would be safeguards to ensure only “necessary and proportionate” access to data by U.S. intelligence authorities along with the establishment of a Data Protection Review Court for Europeans to take cases against the U.S. if they believe they have been subjected to unlawful surveillance.
Previous attempts to assuage European concerns included establishing an ombudsperson to field complaints, but the Trump administration took years to nominate a permanent official for this role.
This new court is a fresh attempt to provide Europeans with means for redress, but Masse raised concerns about how independent this court will be given that it will be established via executive order.
“It’s not actually a right to remedy, so it doesn’t satisfy the criteria that the [European] court has set, so a right to remedy in practice still does not exist,” Masse said. “There is no indication in none of the announcements that the U.S. would actually commit to stop bulk surveillance.”
The sentiments raised in Europe are echoed by Ashley Gorski, a senior staff attorney at the American Civil Liberties Union.
“We’ve maintained that U.S. legislative reforms are essential to ensure an agreement that will survive judicial scrutiny by the [European] Court of Justice. The announcement was made even though there has not been any legislative reform,” Gorski told the Daily Dot.
The Data Protection Review Court will likely face a great deal of examination amid concerns about “satisfying EU legal requirements for independence.”
“The ACLU has proposed that the most straightforward way to deal with this disconnect that exists between EU and U.S. law is to have Congress make a couple of changes that would make it easier for individuals to bring surveillance challenges in Article III federal courts because those courts are already equipped to review these kinds of claims,” she added.
As all of these questions swirl, Masse said that it is most likely the agreement “will be sent in front of the court” much like its predecessors. If a remedy doesn’t meet the standards set by the EU, the framework could collapse a third time.
Article 19, another digital rights organization, told the Daily Dot that more needs to change on the U.S. side of things to truly make the agreement work—namely a federal data protection law akin to the EU’s GDPR.
“The lack of a U.S, data protection law is the real problem, and the collection of half-baked agreements, two of which have already been rejected by the [courts], that fail to provide any concrete rights or guarantee anything, doesn’t solve anything with regard to this matter,” a spokesperson said.
“In reality, unless the U.S. passes legislation curbing their intelligence gathering, it will be as flawed as the previous Privacy Shield.”
Despite these concerns flagged by activists, industries will be pushing hard to get this new data transfer deal over the line to end the legal questions that have hung over transatlantic data transfers for nearly two years.
Lisa Sotto, a cybersecurity and privacy lawyer, said that companies have struggled to navigate the legality of their data transfers since Privacy Shield was struck down. The alternative data transfer mechanism has been a headache to implement.
She said the agreement needs to be passed and implemented swiftly but conceded that legal challenges are inevitable.
“I expect Max Schrems to bring an action against whatever agreement is reached. I hope we will ultimately reach a sensible place. Not having this sort of mechanism in place for data transfers has been crippling to businesses.”
The ACLU’s Gorski added that the objectives are clear but the routes to get there are still muddled.
“This is really just about ensuring that people have the opportunity to seek meaningful redress when they’ve been subject to unlawful surveillance,” she said.
“Right now folks are eager to see what the actual text looks like. We have an agreement in principle, we have factsheets, but the text itself will matter. However, it is difficult to see how this agreement will survive judicial scrutiny in the EU in the absence of U.S. legislative reform.”