A new report is highly critical of the legality of the EU-US Data Privacy Framework (DPF). The new EU-US Data Privacy Framework (DPF) is supposed to regulate data exchanges between the two continents. This article summarizes the shortcomings, as found in the report "Reconstitutionalizing privacy: EU-US data transfers and their impact on the rule of law, rights and trust" and presentation thereof at the CPDP.ai 2024 congress.
The report offers a dismal analysis of the ability of the current legal framework to meet the privacy and rule of law protection requirements of the European Union (EU). The report follows two previous legal frameworks, Privacy Shield and the Privacy Shield 2.0, which were rejected by the European Court of Justice in the Schremms I and II rulings and consistently provided the current Data Protection Framework. The framework is important because it provides the legal basis for the massive data exchange between the two continents.
The report was presented last week at the CPDP.ai conference. It came out of a collaboration between the Centre for European Policy Studies, the Leibniz Institute for Information Infrastructure and the University of Liverpool.
Under the AVG, international data transfers to third countries must meet strict conditions, including adequate levels of protection equivalent to those within the EU. Recently, the U.S. attempted to meet these requirements with the adoption of Executive Order (EO) 14086.
Nevertheless, the report concludes that the current Data Protection Framework continues to cause deep legal uncertainty. This is mainly because the decision is based on the authority of the current U.S. administration under President Joe Biden, which, with the approaching election, adds to the legal uncertainty.
Calli Schroeder, who works at the Electronic Privacy Information Center, points out cultural differences between the U.S. and the EU when it comes to privacy at a panel discussion on the report. The U.S. often sees privacy and innovation as opposing factors, while the EU sees the right to privacy as a fundamental right.
Schroeder argues that the current framework neither meets the fundamental requirements of the AVG nor covers the cultural divide between the continents. She says the U.S. executive order is the result of the immense task that the AVG presents for Americans, and emphasizes that legislators are unable to pass federal privacy legislation, sometimes even in the face of bipartisan support.
Schroeder: "The pressure from big technology companies is something that we also really have serious problems with when it comes to regulation in the U.S.: they can intrude on those laws and rules that we're trying to intervene in, manipulate the language a lot of influence at the state, local and federal level."
Executive order 14086 introduced a new redress mechanism to provide effective due process, a core requirement formulated in the Schrems II ruling (2). With the creation of the Data Protection Review Court (DPRC), the U.S. hopes to meet this requirement. But the Data Protection Review Court (DPRC), according to the report, does not qualify as an independent judicial tribunal, which is an indispensable requirement for due process and the rule of law in the EU legal system.
Rather, the Data Protection Review Court is an administrative body under the U.S. Department of Justice and is directly accountable to the president. The so-called judges will review individual complaints in confidential, one-sided proceedings and make decisions that cannot be appealed.
The lack of independent judicial review clashes with the principles of EU law. Panelist Margot Kaminski, University of Colorado professor of AI and privacy, highlights the comparative complexity of the Data Protection Framework. She argues that legal concepts such as the proportionality and necessity principles have different meanings in the European context than in the U.S. context.
Indeed, in the context of the U.S. executive order, unlike in the European context, the terms will not imply any separation of powers. This is because the executive order refers purely to the executive branch of the U.S. government. This therefore includes the Data Protection Review Court.
Another shortcoming of the Data Protection Framework is that it remains unclear whether it will lead to any meaningful change in the way U.S. intelligence agencies monitor EU citizens. U.S. surveillance tools such as Executive Order 12333 on foreign electronic intelligence and Section 702 of the Foreign Intelligence Surveillance Act (FISA) remain in place.
These allow U.S. authorities to collect electronic communications of non-Americans outside the country on a large scale for intelligence purposes, without individual judicial review. Further, EO 14086 does not adequately define crucial terms such as "bulk collection. Instead, the EO chose a definition and scope of "bulk collection" that the European Court of Justice criticized in Schrems II. Again, therefore, there is no concrete rapprochement by the Americans.
According to privacy lawyers at nonprofit None Of Your Business (NYOB), the Data Protection Framework is largely a copy of the earlier Privacy Shield. The organization announced last year that it would challenge the Data Protection Framework (3).
The panel expressed little confidence that the Data Protection Framework will pass a judicial review by the European Court of Justice. With that, the third attempt at a data-sharing framework between the U.S. and the EU appears to have failed, and further ping-ponging between the European Commission and the U.S. government will have to continue.
(1) https://cdn.ceps.eu/wp-content/uploads/2024/05/TASK-FORCE-REPORT-EU-US-DATA-TRANSFER-1.pdf
(2) https://curia.europa.eu/juris/liste.jsf?num=C-311/18
(3) https://noyb.eu/nl/european-commission-gives-eu-us-data-transfers-third-round-cjeu
