The European Commission has revised its long-disputed data privacy framework that it hopes will simplify personal data transfers between the EU and the US. But guess what? Max Schrems isn’t happy.
Schrems is a data privacy activist and the founder of the non-profit NOYB, and he’s has been resolute in his goal to protect the principles enshrined in the GDPR (General Data Protection Regulation).
He’s been an instrumental figure in protecting EU residents’ from less rigorous data privacy rules in the US, but he’s also become a thorn in the side of organisations and regulators who want an effective way to make transatlantic data flows.
Schrems and NOYB came to prominence after mounting a legal challenge against Safe Harbour, which for a long time bridged the gap between EU and US data protection principles.
NOYB agued that Safe Harbor failed to uphold EU data protection laws, and in 2015 the courts agreed.
Politicians’ bid to replace that agreement was complicated with the announcement of the GDPR the following year. The regulation dramatically increased the power that individuals have regarding the way their personal data is processed and used.
By contrast, the US has done almost nothing on a federal level to bolster data privacy, and it’s created a major divide between EU and US attitudes towards personal data processing.
In 2016, after months of negotiation, politicians on either side of the Atlantic agreed to the EU–US Privacy Shield, which was swiftly dispatched after another legal challenge from NOYB, and it was a similar story for the EU–US Data Privacy Framework.
Schrems was quick to point out the same faults with the agreement, but this time it didn’t have a chance to be invalidated, with EU lawmakers urged to scrap its plans and go back to the drawing board.
Now, with a revised version of the framework revealed and Schrems still unhappy, we are running in circles.
Is anything different this time?
On 10 July 2023, the European Commission published an article saying that it had adopted its adequacy decision for the EU–US Data Framework.
It writes: “The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework.
“On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.”
These will be familiar sentiments to anyone who has been tracking the development of this framework.
Last year, EU President Ursula von der Leyen and US President Joe Biden said they’d reached an agreement in principle for transatlantic data flows, with Biden signing an executive order on the matter in October.
But the agreement still had to pass through the European Parliament’s LIBE (Committee on Civil Liberties, Justice and Home Affairs), and it was not happy with the proposal. In a non-binding draft proposal, it pointed out similar concerns that derailed previous frameworks.
The LIBE advised that the European Commissioner should not proceed with the proposal “unless meaningful reforms were introduced”. And, unfortunately, the sorts of reforms it wants to see are at odds with US law.
According to the committee, there were still no robust government surveillance safeguards or mechanisms that give EU residents’ transferred data “actual equivalence in the level of protection”.
The committee also noted that President Biden’s executive order didn’t prohibit the bulk collection of personal data by US surveillance bodies.
Moreover, the president – whether that’s Joe Biden or a successor – is free to revoke or amend executive orders. This could mean, for instance, that the US could expand the list of legitimate national security objectives, changing the way that personal data collection works.
Schrems weighs in
The concerns surrounding the EU–US Data Privacy Framework resulted in many speculating that it would be challenged before the CJEU (Court of Justice of the European Union), which is why we have encountered delays.
However, with that issue anticipated and a new draft created, some people are still questioning whether the differences between the EU and the US’s approach to data protection can ever be resolved.
Writing on NOYB’s website, Max Schrems said: “The allegedly ‘new’ Trans-Atlantic Data Privacy Framework is largely a copy of the failed Privacy Shield. Despite the European Commission’s public relations efforts, there is little change in US law or the approach taken by the EU.
“The fundamental problem with FISA 702 was not addressed by the US, as the US still takes the view that only US persons are worthy of constitutional rights.”
He added: “We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong [after the previous successful challenges].
“We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it.”
So are we any closer to a sustainable solution for transatlantic data flows? Organisations would certainly hope so, but it looks as though we are as far away from a fix as we have ever been.
