The U.S. government has issued a directive upon which the EU will use to justify the free flow of the personal data of its citizens and residents across the Atlantic even though the EU’s top court may find the U.S. measures insufficient under EU law.
In the last 15 years, political agreement on data flows between the United States (U.S.) and European Union (EU) has been relatively easy to reach. The EU’s courts, however, have taken a different view with the Court of Justice for the European Union (CJEU) having twice struck down the European Commission’s finding that the U.S.’ laws offered essentially equivalent data protection rights to EU persons. In response to the latest decision, the U.S. and EU have adopted an approach crafted by a trio of law professors on how the Biden Administration can provide equivalent rights without legislation. It seems doubtful the CJEU will bless this arrangement when a challenge reaches the court.
Data flows between the EU and U.S. have been valued at more than $250 billion annually, and the U.S. government has claimed that “U.S. goods and services trade with the EU 27 totaled an estimated $1.1 trillion in 2019.” So, if these statistics are close to accurate, data flows make up a significant portion of trade between two of the largest economies in the world. However, data flows have been impeded over the last ten years. In 2015, the CJEU struck down Safe Harbor, the first U.S.-EU data flows agreement, and in 2020, the same court struck down the successor arrangement, Privacy Shield, on many of the same grounds. In the latter decision the CJEU voiced its doubts about whether U.S. law provided the protection and redress available to EU persons in light of the U.S.’ signals intelligence activities, most of which are beyond the ability of U.S. persons to challenge.
Under Article 45 of the General Data Protection Regulation (GDPR), the personal data of EU citizens and residents can only be freely transferred to other nations if they provide an adequate level of protection as the GDPR and other EU law. At present, the EU has adequacy decisions with respect to 14 nations. Without an adequacy decision, EU data controllers need to use supplemental measures like standard contractual clauses (SCC) to achieve the necessary level of protection needed in order to transfer personal data for processing or onward transfer. In a perfect world, the EU would give the U.S. an adequacy decision the CJEU would accept that would permit personal information to be transferred and processed in the U.S. Another possibility for an adequacy decision is based on the U.S. changing its laws to permit EU persons to have meaningful redress in order to have equivalent rights to what they have in the EU. However, the elephant in the room, as always, is that the U.S. conducts significant surveillance that implicates the personal information of many non-Americans and does not permit people the same judicial redress that people in the EU enjoy.
Now comes the U.S. and EU in trying for the third time to implement a data flows framework that will withstand EU judicial scrutiny. After more than a year negotiating, the U.S. and EU reached a deal based on a proposal put forward by three data privacy experts based on their reading of EU and U.S. law. At a March 2022 joint press conference, U.S. President Joe Biden claimed:
§ This new agreement will enhance the Privacy Shield Framework; promote growth and innovation in Europe and the United States; and help companies, both small and large, compete in the digital economy.
§ Just as we did when we resolved the Boeing-Airbus dispute and lifted the steel and aluminum tariffs, the United States and the EU are finding creative, new approaches to knit our economies and our people closer together, grounded on shared values.
§ This framework underscores our shared commitment to privacy, to data protection, and to the rule of law. And it’s going to allow the European Commission to once again authorize transatlantic data flows that help facilitate $7.1 trillion in economic relationships with the EU.
EU President Ursula von der Leyen contended:
§ And we also need to continue adapting our own democracies to a changing world. This is particularly true when it comes to digitalization, in which the protection of personal data and privacy has become so crucial.
§ And therefore, I’m very pleased that we have found an agreement in principle on a new framework for transatlantic data flows. This will enable predictable and trustworthy data flows between the EU and U.S., safeguarding privacy and civil liberties.
§ And I really want to thank Commissioner Reynders and Secretary Raimondo for their tireless efforts over the past month to finish a balanced and effective solution. This is another step in our — strengthening our partnership. We managed to balance security and the right to privacy and data protection.
In order to execute the U.S.’ obligations under the Trans-Atlantic Data Privacy Framework, President Joe Biden signed an “Executive Order (EO) On Enhancing Safeguards For United States Signals Intelligence Activities” that purports to address the lack of redress EU citizens have regarding U.S. surveillance. This executive order implements the agreement in principle the U.S. and EU reached in late March and lays out the steps the administration will take to address successive rulings by the CJEU striking down previous data flows deals.
From the onset, the CJEU and critics of the EO will state the obvious. The U.S. efforts to conform to EU law can be easily rescinded by a future President, for unlike regulations promulgated under the Administrative Procedures Act, Presidential directives are not subject to the procedural requirements mandated for undoing regulations. A short Presidential directive wipes away previous directives. Hence, those in the EU may view the Biden Administration’s actions skeptically.