Google, Facebook illegally processing our data - What can the new EU-US agreement do about it?
Formulation is also important: while Ursula Von der Leyen wrote about an agreement in principle, and this is taken up by the official press release Didier Reynders, commissioner for justice mentioned agreement about the principles of the framework. The detailed factsheets published by the EU and the U.S. government are a little different. Nevertheless both mention that the new system will remedy the problems found in the previous arrangement (the Privacy Shield) by the European Court of Justice:
- that the national security agencies of the States should have access to personal data only based on necessity and proportionality;
- that the processing of personal data by these agencies should be subject to effective supervision and
- that the data subjects should have effective and enforceable redress.
The Computers and Communications Industry Association welcomed the agreement and the reactions of European enterprises and politicians were also positive. The data protection community is sceptical, however. The first reaction by Max Schrems who successfully challenged the two previous transfer systems in court and whose NGO called None Of Your Business (NOYB) fights actively to enforce the judgment, launching complaints for example against websites using American subcontractors, was really brutal.
Optimism is moderated mainly due to the legal uncertainty but also as this is only an agreement in principle and although the final text is promised to arrive within weeks, it has to go through several phases to take indeed effect. On one side the legal changes have to be enacted in the U.S. (see later) but Europe also has things to do.
The solution will be commented on – depending on the concrete legal form – the European Data Protection Supervisor and the European Data Protection Board which consists of the data protection authorities of the EU member states and maybe also the European Parliament and the Council of the EU. All this can last months.
It is almost certain that the setup – although only after having entered into force – will land in the European Court of Justice which set very strict criteria in order not to find a next arrangement unlawful.
We have to place a bracket here as the concrete solution can be at least twofold:
- The European Commission is entitled – after the consultations mentioned above – to adopt a so-called adequacy decision, which establishes that the legal system of the target country ensures equivalent protection with the requirements in the European Union. The two previous structures were like that, but was valid only for those commercial organisations which registered into the system managed by the U.S. Department of Commerce and undertook to comply with its conditions. This side didn’t present any serious problems, the deficiencies of the first framework (the Safe Harbour) were remedied by the Privacy Shield. The problem was with the almost unlimited right of access – established after the 2001 attacks and reinforced under president Trump – by the national security agencies of the States. This adequacy decision is the option which is more probable as the official communication mentions that companies will have to continue to comply with the Privacy Shield requirements.
- at the same time there are some other transfer mechanisms which do not require a Commission decision. The most frequently used is signing the standard contractual clauses. The recipient undertakes in this contract to comply with EU rules but this is not sufficient. The two parties also have to assess together, whether there is anything in the legal system of the target country which would make compliance impossible. The European Court of Justice established that there is in the present American legal system – exactly in the area of national security surveillance. This is what the measures undertaken by president Biden would change.
The timing and risk of transferring data under these two options is different in practice.
First, of course, the legal acts have to enter into force and the promised institutions created in the U.S. Then the second option means that the senders and recipients of data can re-evaluate the situation. If they find that the conditions of the transfer are ensured – i.e. that the new situation enables compliance with EU rules – then they can start exchanging data immediately. The risk is whether the data protection authorities or, in case the issue goes to court, the courts agree with them. Data protection activists most probably are waiting to jump on these cases.
It is evidently not probable that a small enterprise offering courses on an American platform or using Google fonts (following a recent decision of a data protection authority, if this latter has access to the IP addresses of the users, this is transfer of personal data to the U.S.) but are waiting for a well-known large portal. One case which may be re-assessed, is the forwarding of user data by Facebook to its headquarters, which was the basis of the Schrems-ii case and where the Standard Contractual Clauses are the legal basis of transfer. Every concrete case may, however, be different, as the French Supreme Court found storage of health (i.e. particularly sensitive) data at in the Amazon cloud lawful – in fact due to very strict safeguards – in the Doctolib case.
The other option is longer but safer for the companies: the adequacy decision can be adopted after the analysis and consultation following the American measures. Thereafter, however, as an eventual invalidation has no retroactive effect, transferring data will automatically be lawful. And invalidation will take time. At the same time, a data protection authority or any other concerned party can indicate to the Commission when they find that the American legal environment is not appropriate, but if the Commission does not react to that, the case has to go through the court as it happened in the case of the Privacy Shield.
But why is the agreement under attack? Its weak point is that it would be enacted via an executive order which can easily be amended or even withdrawn by another president. It is also not clear whether the supervision and redress bodies (this latter must practically be a court whose judgments can in fact be enforced) by an executive order. The general expectation is anyway that the Court of Justice in Luxembourg will not consider this as a stable system on which an adequacy decision can satisfactorily be based. The legal risk means that it is not sure it makes sense to start exchanging data in this situation when a new solution will have to be sought after invalidation again. It can be safely assumed that the first data transfer will immediately be subject to a complaint, and if the data protection authority does not prohibit it, go to court. In Europe the first instance can immediately turn with a reference for preliminary ruling to the European court. Whether it will be ready to judge with urgency, remains to be seen.
There is another question – which is not even mentioned – whether the time gained will be used by the Americans to enshrine the conditions in a law and create stable institutions. There is more and more support that – after many states already have an own data protection law – data protection should be regulated on a federal level. A law could also give to foreign data subjects the same redress rights what Americans have (it is with right a sore point that at the moment this is denied). Republican lawmakers will face an interesting dilemma: they have to balance their business-friendliness and the overall importance of national suzerainty and security. Due to the minute majority of the Democrats in the senate and the democratic senators potentially resisting due to the popularity of souverainism and national security, the parts of the law which restrict the rights of national security agencies, in particular against foreigners, may fail to gain agreement in Congress.
Although, as mentioned, the press releases mention the preservation of the present system of company registration, a big chance given by the EU-compliant regulation of handling of personal data by national security would be that data could be also transferred to U.S. authorities – just remember the difficulties of the sharing of passenger name records. This, however, is mentioned nowhere.
The acceptation of the presently outlined system will not have an easy route to acceptation in the U.S. either. It will be easy to attack the Democrat government as selling out security and suzerainty and one way of that will be a challenge in the court. The court proceedings may be longer than in Europe as a case has to go through the whole judiciary to arrive finally to the Supreme Court who has the right to invalidate a law. The chances there, on the other hand, are not good there.
On one hand the once liberal Court has shifted to the right during the years. For a long time the conservative, but far-sighted Anthony Kennedy (he was the only one of the Justices who taught in a law school in Europe) was the swing vote in many cases but he also retired in 2018. With the death of the charismatic Ruth Bader Ginsburg in 2020, president Trump could nominate the third judge during his presidency and thus the ratio of conservatives to democrats became 6 to 3. Also, early March the Supreme Court overturned a district court judgment which interpreted the Foreign Intelligence Surveillance Act as giving courts the power to review the legality of FBI surveillance. Although the case was sent back to the district court, it is clear that the government agencies can deny information to the courts based on state secrets. Although the case is not closed, the Civil Liberties Union considers the judgment itself as a grave infringement of civil rights.
The Court – in its previous composition – already avoided to (or was saved from having to) decide in a similar case which was about data stored outside the States by U.S. cloud providers as meanwhile the C.L.O.U.D. act regulated the question. We wrote about territorial scope and extraterritoriality here.
This predicts that such case law will not come down favourable with the European judges, but also that if the system is challenged before American courts, it may be destroyed. It is understandable that this agreement can be one highlighted step in the rapprochement of the EU and the U.S. and breathe new life into the Trans-Atlantic Tech-Trade Council – a potential emblematic result of the reconciliation brought by Biden. This trend is further reinforced by the war in Ukraine – not by chance that it was announced just now. If, however it fails because politics overrode professional and legal considerations, finding a solution will be made impossible for a long time.
This article reflects the views of the author, which do not necessarily reflect those of the Portfolio editorial team.
Cover photo: Getty images