The long-awaited EU-U.S. Data Privacy Framework becomes fully operational this month as eligible businesses can finally rely on it to transfer data more freely across the Atlantic. Although the new agreement would ease transatlantic data flows and limit U.S. intelligence access to sensitive personal data, it now faces an uphill battle in European courts.
While the framework’s legal viability remains to be seen, European privacy concerns highlight the growing need for stronger protections against government surveillance under U.S. law.
Cross-border data transfer has been a thorny issue in transatlantic relations, pitting U.S. national security objectives and surveillance practices against European privacy concerns. In July 2020, the Court of Justice of the EU (CJEU), the bloc’s top court, nullified the agreement — known as the Privacy Shield — in its Schrems II ruling, due to concerns about U.S. surveillance practices. This decision followed its Schrems I judgment in 2015, in which the court struck down a previous data-sharing arrangement, called the Safe Harbor agreement, over similar concerns.
Following the Schrems II decision, numerous companies could no longer rely upon the Privacy Shield to move user data freely between the two jurisdictions and process European Union user data on American servers. Consequently, successive U.S. administrations have sought to negotiate a new agreement that would enable easier data flows across the Atlantic.
The Biden administration and the European Commission finalized the third and most recent agreement — called the Trans-Atlantic Data Privacy Framework — in July. The deal follows President Biden’s executive order last year that created certain safeguards and redress mechanisms for European residents, including the establishment of a U.S. “Data Protection Review Court.” The agreement also restricts U.S. intelligence access to European user data to what U.S. authorities consider “necessary and proportionate.”
While these terms appear to have convinced the European Commission, the EU’s executive wing, it is unclear whether they would satisfy the CJEU’s legal requirements. Maximillian Schrems, the Austrian lawyer behind the two CJEU cases that brought down the previous data transfer agreements, has indicated that he will file a new lawsuit this autumn.
More specifically, the CJEU requires that “U.S. surveillance is proportionate within the meaning of Article 52 of the Charter of Fundamental Rights (CFR)” and that “there is access to judicial redress, as required under Article 47 CFR.” However, as Schrems points out, while the Biden administration and the European Commission agree in principle on proportionate surveillance, “proportionality” has different meanings under U.S. and European law. Consequently, it remains to be seen whether the recent deal will satisfy the CJEU’s definition of “proportionality” and its legal requirements for the data-sharing agreement.
Likewise, while the CJEU has mandated the creation of judicial redress mechanisms, the Data Protection Review Court — a U.S. body within the executive branch with limited independence — might fail to meet the CJEU’s definition of a court.
Consequently, the new transatlantic agreement remains subject to the legal challenges that led the CJEU to annul the two previous data transfer frameworks. Apart from Schrems’ upcoming lawsuit, French lawmaker Philippe Latombe brought two separate legal challenges against the deal last month. These lawsuits are supported by members of the German Bundestag across the political aisle, who criticize U.S. privacy law for providing inadequate privacy protections for European users.
Against this backdrop, Washington and Brussels must find ways to improve transatlantic data transfer practices. As a first step, the U.S. government should comply with the executive order’s commitments, limit surveillance of European users and ensure the independence of the Data Protection Review Court.
More importantly, American lawmakers should take European legal concerns seriously. Contrary to popular perception, European objections to transatlantic data transfer are not about whether the overall U.S. approach is too restrictive or permissive — but about whether U.S. law offers adequate protection against government surveillance.
Notwithstanding certain overly restrictive aspects of the EU’s General Data Protection Regulation (GDPR), its legal obligations apply to both government and private entities. More importantly, the GDPR imposes significant limitations on governments’ ability to access sensitive personal data.
In contrast, U.S. privacy rules — a growing patchwork of sector-specific federal laws, regulations and state privacy statutes — often do not apply to government entities and fail to provide adequate protection against surveillance. The absence of a comprehensive federal privacy law also means that there has been little standardization of privacy obligations across various sectors and states and for different types of actors, including national security and law enforcement authorities.
As Congress considers passing federal privacy legislation, U.S. lawmakers should recognize that Americans would benefit from stronger safeguards against surveillance and limitations on government access to personal data. Such measures would surely facilitate transatlantic commerce — but more importantly — they would help check government abuses of power and uphold fundamental rights and civil liberties for U.S. and foreign nationals alike.
Ryan Nabil is the director of technology policy and senior fellow at the National Taxpayers Union Foundation, a think-tank in Washington, D.C. Formerly, he served as a research fellow at the Competitive Enterprise Institute and as a Fox Fellow at the Institut d’Études politiques de Paris (Sciences Po).