The emperor’s new clothes: US Executive Order to restore data transfers between the EU and US

What is the issue with data export again?

Most technology companies are located in the United States. A lot of personal data is therefore exported from the EU to the US. However, because privacy legislation in the US does not offer the same “adequate” level of protection as the strict requirements that GDPR sets in the EU, the US has never been accepted on the short list of countries with an “adequate” level of data protection by the EU.  

To ensure that American companies could continue to trade with partners in the EU, the Safe Harbor and later the Privacy Shield frameworks were put into place. Two cooperation protocols between the EU and the US on the basis of which American companies were expected to process European data “securely” and confidentially.

The European Court of Justice, however has, in two land mark judgements in the Schrems I and Schrems II cases stated that the security and confidentiality for EU data under Safe Harbour and Privacy Shield did not comply to minimum standards under EU law. The reason for this is and was the far-reaching interference of American intelligence services, which systematically and on a large scale monitor data from, for example, e-mails and cloud storage services on the basis of, for example, the Foreign Intelligence Surveillance Act (FISA), the CLOUD Act or Executive Order 12333. The Court therefore declared the Privacy Shield – rightly – invalid in 2020.  

Since then, data export to the US has become a major legal problem for European companies and the risk of very high fines in the past 2 years has proved more than real. Recently, Austrian and French companies were convicted for sharing personal data with Google in the US by using Google Analytics on their website, without having an appropriate legal basis for doing so.

A new Executive Order in the run-up to a new deal?

Earlier this year, Commission President Ursula von der Leyen and US President Joe Biden pledged in a joint statement in Brussels that they would ensure a successor to the fallen Privacy Shield by the end of 2022, so that European companies could once again process personal data without risk through all often indispensable American tools that companies use every day for this. 

To make such a new agreement possible, a new Executive Order had to be announced by President Biden, specifying the way in which and the extent to which American intelligence services can access European data and the way in which European citizens can file complaints with the American government in case of unauthorized access to their data. European data should only be accessible to American intelligence services if such access is “necessary” for the security of the United States and if it is “proportionally” and European citizens should be able to go to a court in the US in the event of unlawful access to their personal data.

On the basis of such an Executive order, the European Commission could subsequently conclude a new agreement with the US that could replace the old Safe Harbor and Privacy Shield agreements.

That Executive Order was published on October 7, but for the time being it does not appear that its contents will provide a solution in the short term for the many thousands of European companies that today process personal data of European citizens every day in violation of European law through the use of US software solutions.

What does the Executive Order say and why is it insufficient?

An Executive Order is not actually a law in the classic sense. It’s actually an internal directive from the US president. In this specific Executive Order, President Biden regulates the way in which intelligence services may systematically monitor and read European data flows in the future.

The problem in the past was that, according to the European Court of Justice, the way in which US security services were monitoring European data did not comply with two basic principles under European law and more specifically under GDPR: any processing of personal data must be “necessary” and must be “proportional”..

On a preliminary examination of the new Executive Order, it is clear that the US president’s lawyers have tried to adapt prior executive orders with a few cosmetic changes in an attempt to meet EU requirements.  

In fact, only minor changes were made compared to the prior wording in earlier texts.  Where before access to European personal data was allowed if it was executed “as tailored as feasible”, the wording now makes access possible if it is, as required by the EU, “proportionate” and “necessary”. 

From a theoretical point of view, this might indeed solve all problems.  That is, at least, if those terms would have the same meaning in the US as they do for us in the EU, which unfortunately is not the case for the time being. “Necessary for US security” and “proportionate to the interests of the data subject” are judged by US intelligence agencies to be completely different from the European Court of Justice, and there is no indication that this will change in the short term. Everything points to the fact that even under this new Executive Order, the systematic monitoring of European data under the FISA and Cloud Act will simply not continue and that little or no changes in the field should be expected.  

Moreover, the new Executive Order falls short on a second fundamental point from an EU law point of view. The European Court of Justice made it clear that European citizens must be guaranteed access to independent US courts in order to hold the US government accountable for any breaches of their privacy. That was not the case in the past because there was only an “ombudsman” within the US government itself who took note of complaints from European citizens. There was no question of any independence or guarantees for the basic rights of European citizens.

Here too, the proposed solution in the new Executive Order is unfortunately purely cosmetic. There is no real access to American courts. The Executive Order creates a new “court”, but on further notice that “court” is not what European law would require. The new court appears to be a purely administrative body within the American government itself, with very limited powers and a procedure that is anything but transparent and independent. EU citizens submitting a complaint to the new “court” for infringements of their privacy rights will find themselves confronted with a secret procedure behind closed doors that can lead to only 2 predefined decisions: either the court decides (on the basis of a secret file that not even the complainant can see) that no breach of privacy rights has taken place or the court reports that there was indeed a breach of rights (but without obligation to disclose any detail) and that it has ordered to remedy this (but without obligation to disclose details of how that should be done). From the point of view of the rights of defence as we know them in Europe, this is in our view impossible to justify.

Schrems III in the making?

The first reactions from privacy lawyers after the promulgation of the new Executive Order last week speak for themselves. The order does not feel very convincing and, in our view, shows little knowledge of and respect for European law and the functioning of the European institutions.   

We cannot imagine that the European Commission will be satisfied with this text as a basis for a new agreement, nor can we imagine that the European Court of Justice will suddenly change its mind about FISA and the Cloud Act in a third attempt to get it “sold” to European citizens. If an agreement were to be reached between the US and the EU on the basis of this Executive order, we believe that a Schrems III judgment is already in the making… 

The next step now is for the European Commission begins to investigate whether it can draw up a so-called “adequacy decision” on the basis of this Executive Order, which makes it possible again to exchange personal data with the US. That adequacy decision must be submitted to the EDPB for advice and must be approved by the European Council (ie by the Member States themselves). That process will undoubtedly take a long time and a formal new decision is not expected before somewhere in the middle of 2023, if it can be made on the basis of this not very reassuring text.

If there is indeed an adequacy decision in 2023, European companies will be able to work with American tools again without fear of breaching EU data protection laws. At least that is, until the European Court of Justice once again throws a spanner in the works and as the cards lie today, that is actually a Chronicle of a death foretold…

What does this mean for you as a company?

For the time being, nothing will change for European companies. Data exports to the US remain a major legal problem and will remain so until at least mid-2023. Anyone who uses American tools such as Google Analytics, Mailchimp, Sharpspring, Salesforce, Active Campaign or thousands of others exposes themselves to considerable fines.

Do you still want to transfer data to the US or process it in an American tool? Then you should know that, on the one hand, you must provide a sufficient legal basis (Standard Contract Clauses) and that, on the other hand, you must perform a thorough and documented risk analysis (Data Transfer Impact Assessment) and decide to build in additional safeguards where possible (de facto in the form of total third party encryption of your data).