Today, President Biden signed an Executive Order concerning a new agreement on EU-U.S. data flows.
The Executive Order follows the political “agreement in principle” on a new Trans-Atlantic Data Privacy Framework announced earlier this year by the European Commission. The U.S. Government and the European Commission have worked together since July 2020 to address the requirements of the Schrems II decision by the Court of Justice of the European Union (CJEU) which invalidated the previous arrangement, so-called Privacy Shield, on the EU-U.S. data transfers.
The Executive Order will serve as the basis for a new “adequacy decision” by the European Commission that the U.S. has a satisfactory system regarding data protection, including addressing issues related to government surveillance and consumer privacy. The European Commission will now begin the ratification process of the new Executive Order, which is expected to take up to six months.
TACD First Statement
The Transatlantic Consumer Dialogue’s (TACD) first analysis of the announced measures reveals that the new provisions would not adequately protect European consumers’ fundamental rights to privacy and data protection, as established in the EU Charter of Fundamental Rights and the General Data Protection Regulation (GDPR), seen in the light of the CJEU’s decision on Privacy Shield
For one, the measures do not seem to solve the issue of the lack of proportionality of the U.S. surveillance laws and practices – one of the main elements that render the current system incompatible with EU law, according to the CJEU. The Executive Order refers to new safeguards and includes the wording “proportionate” as in Article 52 of the EU Charter of Fundamental Rights (EU Charter), but it does not establish any mechanisms to limit the U.S. mass surveillance systems in place. For another, it seems like the Executive Order still does not provide for real judicial redress to European consumers.
The Order establishes a two-step procedure that includes an officer under the Director of National Intelligence and a so-called “Data Protection Review Court”. However, it seems that the latter might not be a judicial body as foreseen under Article 47 of the EU Charter or the US Constitution, but a body within the US government’s executive branch. The procedures before these two bodies will need to be closely analysed before a final statement can be made, but the structure currently looks closer to the “Ombudsperson” position that had existed under the previous framework, Privacy Shield. The CJEU has already proclaimed such form of executive bodies as being in breach of the essence of Article 47 of the EU Charter and reiterated a need for judicial review or approval by an actual court.
The first analysis of the measures shows that the Executive Order does not provide the necessary basis for a decision that the U.S. offers effective and meaningful data protection. Together with the above shortcomings, the failure of the U.S. to have a robust overarching data protection law that ensures the privacy of its own citizens and consumers creates a barrier to any serious consideration on adequacy.
The current approach may cause further legal uncertainty for consumers for years to come and will fail a potentially new review by the EU highest court, the CJEU. In the current circumstances, TACD urges the European Commission not to adopt a new adequacy decision without further changes.
TACD will analyse the new Executive Order in detail in the coming days and will issue a set of Recommendations.
“In the commercial space the protections have been too weak and failed to ensure the essentially equivalent level of protection required under EU law. What is required is a sustainable arrangement that guarantees privacy protection and legal certainty, and self-regulatory solutions cannot substitute a regulatory system.” – Finn Lützow-Holm Myrstad (Norwegian Consumer Council), TACD Digital committee EU co-chair
“We will analyse the new Executive Order in detail, which will take a couple of days. At first sight it seems that the core issues were not solved and it will be back to the CJEU sooner or later.” – Max Schrems, chair of noyb.eu, member organisation of TACD
“Without details of how the Executive Order will be implemented, this means about as much as “we take your privacy very seriously” on a corporate website. We look forward to examining the EO to ensure that all problems identified in Privacy Shield have been meaningfully addressed with enforceable measures.” – Calli Schroeder (EPIC), TACD Digital Committee US co-chair
More from TACD’s on EU to U.S. data flows:
- Transatlantic Discussion with Rohit Chopra, FTC and Didier Reynders, European Commission (December 2020)
- TACD calls for pause in talks on a new data transfer agreement after invalidation of the Privacy Shield (July 2020)
- TACD Resolution on the EU-U.S. Privacy Shield Proposal (April 2016)
- TACD Statement in response to the European Court of Justice ruling on Safe Harbor agreement (October 2015)