To everyone’s surprise, last week’s EU-US summit and Joe Biden’s visit to Brussels ended with the announcement that the US and the EU have concluded “an agreement in principle” on “a new legal framework for GDPR-compliant transfers of personal data from the EU to the United States.”
Surprising, because up until now, all the signs seemed to indicate that such an agreement was very far away. After all, the legal water between the EU and the US is very deep: whereas Europe wants to be able to guarantee absolute confidentiality of the personal data of its citizens, the US has strict internal security laws that (can) always give American secret services such as the NSA access to virtually all European personal data processed by American companies. Those fundamental differences in privacy approaches led in the past to the ECJ’s Schrems I judgment, the Schrems II judgment and recently to significant fines for Austrian and French companies that used Google Analytics without complying with Europe’s strict data export regulations.
Our first observation is that this is a purely political agreement. There is no actual text proposal yet. Writing that proposal could take months and in any case it is subject to the (independent) advice from the European Data Protection Board and depends on the (uncertain) political support of the European Parliament. The chances of this political deal transforming into an actual new Privacy Shield seem rather small…
The next question then is whether a solution for transcontinental data exchange really is in sight here, or if this is – to put it in the words of Max Schrems himself – no more than “lipstick on a pig ” and an open path to a future Schrems III judgment of the European Court of Justice…
Schrems I? Schrems II? Data export?
Many technology companies are located in the United States and there is therefore a lot of data export or export of personal data from the EU to the US. However, because privacy legislation in the US definitely does not reach the same “adequate” level as the strict requirements that GDPR sets in the EU, the US has never been placed on the short list of “adequate” or “safe” countries by the EU.
In order to ensure that American companies could continue to trade with partners in the EU, a different and specific system for data exchange between Europe and the United States was set up years time ago. This system was successively called the Safe Harbor system and later, in a second version, the Privacy Shield. It prevented American companies from having to conclude an agreement with standard contractual clauses with their customers in the EU every time data had to be passed on to them, for example because it had to be stored or processed on their servers. Safe Harbor and Privacy Shield ensured that American companies were considered to be able to guarantee an adequate level of security for personal data if they met a number of strict conditions and if they were certified for this purpose in the US. It was in other words not US law itself, but the level of security guarantees offered by US companies that was considered “adequate”.
The first version of this system, Safe Harbor, was successfully attacked in 2015 by Max Schrems, who believed that no American company could guarantee an “adequate” level of security for personal data because American law grants extensive rights to American intelligence services to monitor and analyze personal data. This complaint eventually led to the Safe Harbor system being declared invalid and replaced by a similar system called the Privacy Shield.
That second EU-US agreement, the so-called “Privacy Shield”, was also undermined in 2020 at the initiative of Max Schrems. The European Court of Justice ruled – rightly so, by the way – that this regulation could not provide a level of protection that was equivalent to the level of protection that exists within the EU. Again, the reason for this was the far-reaching interference by American intelligence services, which systematically and on a large scale monitor data from, for example, e-mails and cloud storage services on the basis of the Foreign Intelligence Surveillance Act (FISA) or Executive Order 12333 or the Presidential Policy Directive. As a result of his, the ECJ declared the Privacy Shield invalid as well in 2020.
Since then, data export to the US has become a major legal problem for European companies, and the risk of very high fines in the past 2 years has proved more than real. Recently, Austrian and French companies were convicted for sharing personal data with Google in the US by using Google Analytics on their website, without having an appropriate legal basis to do so.
A new “agreement in principle?
But now apparently a new “agreement in principle” has been reached between the US and the European Commission. The first and immediate conclusion is that this is not an agreement, but a rather vague declaration of intent that is far from a detailed treaty or agreement. A lot of water will have to run under the bridge before an actual agreement can be reached. Within the European institutions, both the (independent) European Data Protection Board and the European Parliament will have to give their blessing to a future detailed text proposal. Before we get to that point, a lot of time will pass and in the meantime, European companies working with American suppliers (Google, Facebook, Amazon, Microsoft, Mailchimp, …) continue to face a major problem of potentially illegal data export outside the EU. The euphoric reactions from the digital industry, for example from the American Computer and Communications Industry Association (CCIA), are therefore in our opinion somewhat too optimistical.
In terms of content, the short text that we’re faced with today does seem to indicate that the US want to take (limited) steps to allay the European concerns that led to the Schrems II judgment in July 2020, but that they are not yet prepared to make any really fundamental adjustments to existing national security laws in the US.
As far as we know today (we really only have the White House press briefings to rely on for now), the aim is to build a system that “can guarantee the privacy of EU citizens’ personal data and create a new mechanism for EU citizens to enforce their rights if they believe they are the subject of unauthorized access to their personal data by US intelligence agencies”. That should lead to a kind of “Privacy Shield 2.0″, based on the same building blocks as the Privacy Shield destroyed in 2020.
Specifically, this would mean that:
- European personal data should only be collected if it is “necessary to achieve legitimate national security objectives”, and “must not have a disproportionate impact on the protection of privacy and civil liberties” (But that is in reality already so today, little or nothing changes here at first sight. Moreover, this is very vague as a starting point for a real agreement that will have to be “Schrems proof” in the end…)
- EU citizens can turn to an independent Data Protection Review Court, which will work independently from the US government (although it remains to be seen how this could be put in place and what the actual power of this “court” would be when faced with access request by the NSA or other intelligence services)
- The US service will adopt “procedures that ensure better protection of privacy and civil liberties” (although it remains totally unclear which services are meant here and what these “procedures would entail).
- The mechanisms of the old Privacy Shield remain: US companies must register for the Privacy Shield with the US government and must meet a number of minimum requirements. The US government oversees this and anyone on the list of “Privacy Shield accredited” companies is allowed to process European data.
Schrems III in the making?
The first political reactions were positive, but at the same time many lawyers immediately expressed their reservations and privacy activists such as NOYB and Max Schrems immediately reacted very critically. Max Schrems, without to much nuance, described the “Privacy Shield 2.0” as “lipstick on a pig“.
We cannot blame Max Schrems for his reaction. The “agreement” that was presented by President Biden does indeed look very flimsy and, in our view, shows little knowledge of and respect for European law and the functioning of the European institutions. After all, we cannot imagine that this proposal will pass through the European Parliament (with its sometimes very virulent consumer lobby) or the EDPB or that the European Court of Justice will suddenly think differently about FISA and the Cloud Act in a third attempt to get this “sold” to European citizens…
In our view, it is surprising that the US and the European Council believe that they can arrive at a new Privacy Shield on the basis of these vague principles. After all, the fundamental underlying shortcomings that led to the Schrems II judgment have manifestly not been removed. The most striking thing about this is the absence of any mention of possible changes in American national security legislation, while it is precisely this legislation that has turned out to be the core of the whole problem in both the Schrems I judgment and the Schrems II judgment…
Schrems III in the making, therefore, if you ask us. Or to summarize it with a translation of an old Dutch proverb: “even if a monkey wears a gold ring, it still remains an ugly thing”. We can only hope that the future will bring a better substantiated solution…
Questions about data export or Schrems?
Feel free to contact Sirius Legal for a first introduction via bart@siriuslegal.be or simply book an online introduction via the link next to this article.