On July 10, 2023, the European Commission announced a new agreement regulating data flow between the US and the EU named the Data Privacy Framework (DPF). It’s a much-needed development considering the importance of data transfers in the global economy. But many issues around this new deal raise concerns about its sustainability.
Privacy watchdogs, including Max Schrems, a leading actor behind the strike down of Safe Harbor and Privacy Shield, argue that the new deal won’t stand a chance against the Court of Justice of the European Union (CJEU). So, what’s the future of transatlantic data transfers?
Read the story of the previous adequacy agreements to understand the underlying problems with data transfers between the EU and the US. Then, learn the details about the new framework and its possible impact on EU and US businesses.
There’s a significant difference between the US and EU approaches to individuals’ privacy rights.
EU law safeguards individuals’ privacy with laws such as GDPR, the ePrivacy Directive, and the Charter of Fundamental Rights of the European Union (CFR). And since 1995, EU law prohibits the transfer of personal data outside the EU unless the destination country offers equivalent privacy protection.
The US legal system lacks such a comprehensive privacy framework. Although the Fourth Amendment protects the privacy of American citizens, individuals from other countries and regions, such as Europe, don’t have the same level of protection. Furthermore, the US government has authorized its agencies to conduct mass surveillance on non-Americans under laws like the Foreign Intelligence Surveillance Act of 1978 (FISA 702) and Executive Order 12.333.
These rifts in the approach to the privacy of EU and US residents are impossible to reconcile without a special agreement that sets clear rules for transferring and handling their data.
This is where the concept of an adequacy decision comes into play. An adequacy decision is one of the tools provided under GDPR to transfer personal data from the EU to third countries. In theory, it should give EU residents the certainty that if their data is exported to the US, it will be processed with the same level of protection as within the EU. But history shows that the data deals between the EU and the US are unable to deliver on this promise.
The International Safe Harbor Privacy Principles (the Safe Harbour) were the first legal framework regulating data transfers between the EU and the US. It was introduced in 2000 and struck down by a ruling known as Schrems I.
With the Safe Harbor framework, US companies could operate based on their “self-certification” of compliance with European data protection regulations. The list of firms relying on the agreement to facilitate data transfers was over 5,000 names long and included the likes of Facebook and Google.
Safe Harbor started to crumble under the allegations that through access to the personal data of EU citizens gathered by tech giants, the National Security Agency could have infringed the fundamental human rights outlined in Article 8 of the European Convention on Human Rights.
Austrian lawyer Max Schrems lodged a complaint in 2013 about personal data being transferred from Facebook Ireland Ltd. to its US parent company and then accessed by US state security agencies. The activist argued that the framework provided insufficient protection of his fundamental right to privacy afforded by EU law.
In 2015, the CJEU found that the Safe Harbor program didn’t adequately protect personal data from “interference” from the US government. The ruling led to the invalidation of the framework.
Privacy Shield was meant to fix issues with the previous framework. It came into effect on July 12, 2016.
But the principles of the Privacy Shield were largely the same as in Safe Harbor. They also didn’t change after the introduction of GDPR. This means that since May 2018, US businesses processed European data in a way that didn’t align with the current EU privacy framework.
All this led to another complaint brought to the CJEU by Max Schrems. In 2020, the ruling known as Schrems II struck down the EU-US Data Protection Shield due to concerns about surveillance by US state and law enforcement agencies.
The CJEU stated that sending personal data from the EU to the US is unlawful if companies can’t guarantee it will be safe from US intelligence.
The impact of the Schrems II ruling was immense. Privacy Shield covered thousands of companies, including Facebook and Google. That group insurance policy, so to speak, had disappeared.
The repeal of the agreement meant that there were no legal means for the cross-border transfer of personal data from the EU to the US, except for standard contractual clauses (SCC). It became challenging for companies that relied on data transfers to work with US service providers.
Since the Privacy Shield verdict, the privacy watchdog organization NOYB has filed 101 complaints against companies that collect visitor data through Google Analytics and Facebook Connect. The list of companies includes businesses from multiple sectors, with prominent representation from publishing and finance.
The decisions by EU data protection authorities (DPAs) effectively banned the use of platforms such as Google Analytics in some European countries:
- On January 12, 2022, Austria’s DSB released its ruling in the case of an unnamed German web publisher. The regulator stated that using Google Analytics to collect data on EU residents is unlawful under GDPR.
- In April 2022, CNIL issued a decision ordering three French websites to stop using Google Analytics.
- In June 2022, Italy’s data protection authority (Garante) ruled that transferring personal data to the United States while using Google Analytics is unlawful under GDPR.
- In September 2022, the Danish data protection authority Datatilsynet became the fourth national regulator to conclude that Google Analytics does not comply with GDPR’s requirements.
- In March 2023, the Norwegian DPA released a preliminary opinion stating that using Google’s platform is illegal under GDPR.
- In May 2023, Finland’s DPA ordered the Finnish Meteorological Institute to stop EU-U.S. data transfers using Google Analytics.
- In July 2023, Sweden’s data protection authority ordered four companies to stop using Google Analytics.
During that time, companies that relied on the services of Google and other platforms that sent data across the Atlantic were at higher risk of legal action from consumers, consumer rights groups, and DPAs.
On July 10, 2023, the European Commission adopted a new Data Privacy Framework, often referred to as Privacy Shield 2.0.
The new agreement addresses some concerns raised around Schrems II. It restricts how US spy agencies can gather intelligence and introduces new conditions for collecting people’s data, including ensuring only strictly specified types of data are collected.
The new framework also allows EU residents to seek redress through an independent Data Protection Review Court composed of members from outside the US government and the Civil Liberties Protection Office. The bodies can authorize claims and direct remedial measures as needed.
US businesses can join the Data Privacy Framework by agreeing to follow privacy responsibilities. These include deleting personal data when it’s no longer needed and protecting it when it’s shared with third parties. Companies must also adhere to data minimization, purpose limitation, and proportionality principles.
They can start processing EU residents’ personal data based on the framework from the date they get self-certified.
The new deal introduces a series of additional safeguards and requirements to limit access to EU residents’ data through US surveillance. But according to privacy advocates, it doesn’t do enough to meet European privacy standards.
“We had ‘Harbors,’ ‘Umbrellas,’ ‘Shields,’ and ‘Frameworks’ – but no substantial change in US surveillance law. The press statements today are almost a literal copy of the ones from the past 23 years. Just announcing that something is ‘new,’ ‘robust,’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have them.” Schrems sums up.
NOYB points out the critical issues with the new framework, including the following:
The US didn’t reform FISA 702, despite the CJEU’s opinion that the bulk surveillance allowed by the law was not “proportionate” in a way defined by Article 52 of the EU’s Charter of Fundamental Rights. Instead, the US implementation of the framework, EO 14086, uses a less strict interpretation of the term.
With FISA and EO 12.333 remaining unchanged, the rights of non-US residents are still not protected in line with the Fourth Amendment in the US and the CFR in Europe.
It is unclear if the US will remove the controversial provisions from the law during its FISA reform at the end of the year. Max Schrems suggests that the US government may not be willing to take this action since the data adequacy decision has already been signed.
NOYB argues that the Data Protection Review Court is not an actual court as defined by US law. They point to similarities between the Court, the Civil Liberties Protection Officer, and the institution of “Ombudsperson” introduced in the Privacy Shield, which according to the ruling by CJEU, didn’t comply with Article 47 of the CFR.
The organization also criticized the extent of the recourse available to EU residents, stating there was no additional guarantee they would be heard beyond what was offered under the previous frameworks.
The EU bodies are also dissatisfied with the current shape of the framework. Before the deal’s implementation, the European Data Protection Board (EDPB) and the European Parliament (EP) raised concerns about the privacy safeguards afforded by the agreement. The EP has even called on the European Commission to renegotiate or challenge the deal before the CJEU:
“[The European Parliament] calls on the Commission to act in the interest of EU businesses and citizens by ensuring that the proposed framework provides a solid, sufficient and future-oriented legal basis for EU-US data transfers; expects any adequacy decision, if adopted, to be challenged before the CJEU; highlights the Commission’s responsibility for failure to protect EU citizens rights in the scenario where the adequacy decision is again invalidated by the CJEU.“
Other EU data protection bodies, including the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg and Hamburg, have also criticized the new deal:
“The European Commission will now have to decide whether there is equivalent protection for personal data in the USA. It is already questionable whether the Commission is even able to reassess the level of data protection in the US and issue an adequacy decision based solely on the Executive Order. The large number of open questions still to be clarified raises doubts. In this elementary data protection issue, however, the citizens of the EU need legal certainty just as much as the European and foreign companies affected by it. Should the European Commission allow the fundamental rights of EU citizens to take a back seat to economic interests for the third time in a row?” said Stefan Brink, The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg.
The short answer is: it makes using software that sends data across the Atlantic, such as Google Analytics and Facebook Ads, legal again once their vendors get certified. But considering the heated debate around the new framework, we might expect more complaints to pop up within the next few months. NOYB has already announced its next steps:
“We have various options for a challenge already in the drawer […]. We currently expect this to be back in the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it,” says Schrems.
It seems that for a deal to stick, the US has to adjust and introduce substantial changes to its legal framework, including FISA 702 and EO 13.222. But we don’t know when or if that will ever happen.
Companies concerned that the new complaints will lead to Schrems III might consider more future-proof options for collecting data under GDPR. Especially since verdicts such as Schrems II work retroactively and require re-examining your existing contracts, which imposes some serious obligations on your end.
Here are some of the possible choices:
- Transfer limitations/exclusion and data anonymization. Big tech software relies heavily on user identification and data transfers. Limiting the transfers or stripping the data of personal information helps overcome this issue, but it comes with a price. For example, when Google Analytics is configured to meet GDPR standards (as per French DPA guidelines), it loses most of its capabilities.
- Updating the technology stack with EU alternatives. Schrems II opened the market for EU companies offering business and marketing software with local EU hosting. These alternatives allow organizations to become completely independent of the transatlantic data transfer ordeal.
Read more about different ways to collect data: 6 ways analytics software collects data online – plus a comparison of 5 popular platforms.
The issues surrounding Privacy Shield 2.0 are evolving dynamically. We’ll keep you posted about any changes to the framework and cases brought before the Court of Justice of the European Union.
If you’d like to know how Piwik PRO Analytics Suite helps you comply with GDPR and other privacy laws worldwide while collecting valuable user data, be sure to get in touch.