EU-US Privacy Framework needs a long hard look

The Commission has enthusiastically endorsed a recent US order to implement a new framework to protect the privacy of personal data shared between the US and Europe. Dick Roche begs to differ.Dick Roche is a former Fianna Fáil politician. He was the minister of state for European affairs when Ireland conducted the two referendums on the Treaty of Lisbon of the European Union in 2008 and 2009.On Friday (7 October), President Biden signed an executive order to implement a new framework to protect the privacy of personal data shared between the US and Europe. The order follows an agreement reached in March between the US and the EU Commission.The question arises whether the proposed arrangements meet the requirements set out by the Court of Justice of the European Union in its judgement in the Schrems II case.In the Schrems II case, the Court found that US law did not satisfy EU requirements regarding access to and use of personal data. It flagged concerns that US public authorities’ use of and access to EU data were not restricted by the principle of proportionality. It said it was “impossible to conclude” that the EU-US Privacy Shield arrangements could ensure a level of protection essentially equivalent to that guaranteed by the EU General Data Protection Regulation [GDPR]. The Court also believed that the Ombudsman mechanism created by Privacy Shield was inadequate and that the office’s independence could not be guaranteed.Overall the CJEU concluded that the Privacy Shield arrangements could not guarantee actionable rights equivalent to those required by the GDPR. The judgement set a high bar for any new EU-US Data Privacy Framework. It is questionable whether the arrangements signed off by the US and the EU Commission reach that bar.On Friday, a White House Fact Sheet claims that President Biden’s Executive Order (EO) “adds further safeguards for signals intelligence activities”.The EO has four key elements. First, it requires that US intelligence activities must be conducted only in pursuit of defined national security objectives, must take into “consideration the privacy and civil liberties of all persons, regardless of nationality or residence”, and must “be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority”.It sets out requirements for handling personal information, including requiring compliance officials to ensure that “appropriate actions are taken to remediate incidents of non-compliance”.It also requires US Intelligence agencies to update “policies and procedures to reflect the new privacy and civil liberties safeguards” contained in the EO.The fourth element in the US Order establishes a two-tier mechanism “for individuals from qualifying states and regional economic integration organisations to obtain an independent and binding review and redress of claims that their personal information was collected or handled by the United States in violation of applicable US law.”In the first instance, aggrieved parties may complain to a ‘Civil Liberties Protection Officer’ (CLPO) appointed by US intelligence agencies to ensure compliance by US intelligence agencies with privacy and fundamental rights.Decisions of the CLPO can be appealed to a Data Protection Review Court (DPRC). The ‘Court’ “composed of members chosen from outside the US Government” will be empowered to take binding remedial decisions.The EU Commission has endorsed the US order enthusiastically, characterising the arrangements it has negotiated with the Biden administration as providing “a durable and reliable legal basis for transatlantic data flows”.It portrays the arrangements as a substantial limitation on US security agencies’ access to data, establishing “an independent and impartial redress mechanism” to investigate and resolve complaints.The Commission characterises President Biden’s order as addressing  “all the points raised by the Court of Justice of the EU”. This view, which will undoubtedly be questioned, echoes comments made by the US Secretary of Commerce Gina Raimondo on the day before the President signed the order.The European Centre for Digital Rights (NOYB), founded by Max Schrems in an initial reaction, flagged several fundamental concerns. It points out that the keywords in the Schrems II judgement are interpreted differently on either side of the Atlantic, that while the US administration and the EU Commission have copied the words  “necessary” and “proportionate” from the CJEU judgement into the agreement, they are not ad idem as to their legal meaning. Were they on the same page, the US would have to fundamentally limit its mass surveillance systems to comply with the EU understanding of “proportionate”, which will not happen!The centre also points out that the “Court” created by the US Executive Order is a body within the Executive Branch of Government and not a “judicial redress” as required under the EU Charter.The American Civil Liberties Union makes a similar point. It rejects the view that the arrangements in the Biden EO “adequately protect the privacy of Americans and Europeans” and concludes they fail “to ensure that people whose privacy is violated will have their claims resolved by a wholly independent decision-maker.”ACLU also points out that the Executive Order is not legislation; it can be amended at any time by a sitting President and renewed its call on Congress to reform US surveillance laws radically.The Transatlantic Consumer Dialogue also believes that the new provisions do not adequately protect European citizens’ fundamental rights to privacy and data protection, as established in the EU Charter of Fundamental Rights and GDPR.With the adoption of the US Executive Order, the ball is now back to the EU Commission’s court.  The EU executive will now prepare a draft adequacy decision and launch an adoption process which requires an opinion from European Data Protection Board and greenlighting from a committee composed of representatives of the EU member states. The European Parliament has a right of scrutiny over adequacy decisions.Given the concerns that have been expressed on both sides of the Atlantic since President Biden signed his Executive Order and bearing in mind the propensity of US agencies to overreach their authority, we all need to take a long hard look at what is on the table.  At this point the odds of a Schrems III case seem very high.