European Commission gives EU-US data transfers third round at CJEU

New Trans-Atlantic Data Privacy Framework largely a copy of "Privacy Shield". noyb will challenge the decision.

Third attempt of the European Commission to get a stable agreement on EU-US data transfers will be likely back at the Court of Justice (CJEU) in a matter of months. The allegedly "new" Trans-Atlantic Data Privacy Framework is largely a copy of the failed "Privacy Shield". Despite the European Commission's public relations efforts, there is little change in US law or the approach taken by the EU. The fundamental problem with FISA 702 was not addressed by the US, as the US still takes the view that only US persons are worthy of constitutional rights.

• Comparison of the change in US law since 2014:
  • "Old" PPD-28 (2014)
  • "New" EO 14086, replacing PPD-28 (2022)
• Comparison with previous public relation efforts:
  • "Rebuilding Trust in EU-US Data Flows" and the "Umbrella" from 2013
  • Press Statement on the "Privacy Shield" from 2016
  • Media FAQs on the "Privacy Shield" from 2016
  • Single Page "Agreement in Principle" between Biden and von der Leyen from 2022
• European Commission Draft Adequacy Decision (December 2022)

Background. In 2013 Edward Snowden disclosed that the US government used "big tech" companies and programs like "PRISM" or "Upstream" under FISA 702 and EO 12.333 to spy on the rest of the world without the need for probable cause or judicial approval. This was not limited to crime or terrorism, but also included espionage on "partners" of the US. Since a 1995 EU law, personal data may generally not be sent outside of the EU unless there is a "essentially equivalent" protection in the destination country. The US industry heavily relied on a European Commission Decision called "Safe Harbor" that declared the US "essentially equivalent" in 2000. The CJEU has annulled the Commission Decision in C-362/14 ("Schrems I") in 2015, given the invasiv US surveillance laws. In 2016 the European Commission has passed largely the same Decision on EU-US Data Transfers again, under the new name "Privacy Shield", which was invalidated by the CJEU in C-311/18 ("Schrems II") in 2020 largely on the same grounds.

Ursula's and Joe's "Magic" Tricks. After the annulment of the "Privacy Shield" the negotiations between the EU and the US saw little progress. The US insisted that EU data would stay subject to US mass surveillance and "non-US" persons will not have the same protections as US persons. After little movement for more than 1.5 years, the US has reportedly used the war in Ukraine to put pressure on the EU on sharing personal data. Soon thereafter, Joe Biden and Ursula von der Leyen met on 25 March 2022. The same day, the two have suddenly "solved" what the lawyers were unable to solve and presented an "agreement in principle", a one pager which in essence contained two "tricks" that should calm the public:

• First, the CJEU found that FISA 702 bulk surveillance being not "proportionate" within the meaning of Article 52 of the EU's Charter of Fundamental Rights (CFR). The "new" US Executive Order 14086 (which is largely equivalent to PPD-28 from 2014) would now include the word "proportionate". The "trick" here: the US will attribute another meaning to the word "proportionate" than the CJEU. EO 14086 declares FISA 702 bulk surveillance to be "proportionate" under an undisclosed "US understanding" of the word and contrary to the two findings by the CJEU. This way the EU and the US were able to claim that they agreed on the same word ("proportionate") - even when there is no agreement on the meaning of the word.
• Secondly, the CJEU found that redress via the Privacy Shield "Ombudsperson" was not even remotely complying with Article 47 CFR - even when the Ombudsperson was hailed by the Commission public relations in 2016 as an "independent" form of "redress in the area of national security". The "trick" on redress: the Ombudsperson mechanism was renamed and split to a Civil Liberties Protection Officer (CLPO) and a so-called "Court" (which is not a court, but a partly independent executive body). While there are some minor improvements over the Ombudsperson, the individual will not have any direct interaction with the new bodies (they will have to send a complaint to an EU data protection authority and not be heard by the US) and they will give the exact same response as the previous "Ombudsperson". Under EO 14086 the CLPO and the Court must in any case respond by saying: "Without confirming or denying that the complainant was subject to United States signals intelligence activities, the review either did not identify any covered violations or the Data Protection Review Court issued a determination requiring appropriate remediation" (see here). The "judgment" of this "Court" is therefore known even before a case is brought. There are many additional problems with the mechanism, that will largely ensure that complaints will not even be admitted. It seems unthinkable that the Court of Justice would accept this as "judicial redress" under Article 47 CFR.
• Finally, the US has refused to reform FISA 702 to give non-US persons reasonable privacy protections. There is agreement on both sides of the Atlantic that FISA 702 and EO 12.333 violate fundamental rights under the 4th Amendment in the US and Articles 7, 8 and 47 CFR in the EU - but the US continues to insist that non-US persons do not have constitutional rights in the US - hence a violation of their right to privacy is not covered by the 4th Amendment.
• FISA 702 will have to be prolonged by the end of 2023, given that there is a "sunset clause" in US law. This would have been the perfect opportunity to improve US law, but given the new deal with the EU, there will be little reason for the US to reform FISA 702.

Overall the new "Trans-Atlantic Data Privacy Framework" is a copy of Privacy Shield (from 2016), which in turn was a copy of "Safe Harbor" (from 2000). Given that this approach has failed twice before, there was no legal basis for the change of course - the only logic of having a deal was political.

Max Schrems, chair of noyb: "They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like 'Privacy Shield' the latest deal is not based on material changes, but by political interests. Once again the current Commission seems to think that the mess will be the next Commission's problem. FISA 702 needs to be prolonged by the US this year, but with the announcement of the new deal the EU has lost any power to get a reform of FISA 702."

Fool me Thrice? Already in the wake of the Snowden disclosures in 2013, the European Commission announced that it will "rebuild" trust and "make Safe Harbor safer" and come up with an "umbrella agreement". In 2016 journalists were told that the "Privacy Shield" would mean that "for the first time, the US has given the EU written assurance", that there would be "clear limitations, safeguards and oversight mechanisms" and even "no indiscriminate mass surveillance". None of these claims and systems has proven stable when put before the CJEU. In the current version of the Commission's public relations efforts, the same (ever-repeating) claims are entertained.

Max Schrems: "We now had 'Harbors', 'Umbrellas', 'Shields' and 'Frameworks' - but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is 'new', 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work - and we simply don't have it."

CJEU challenge ready to be filed. Anyone whose personal data will be transferred under the new deal can bring a challenge with Data Protection Authorities or Courts. noyb has prepared various procedural options to bring the new deal back before the CJEU. We expect the new system to be implemented by the first companies within the next months, which will open the path towards a challenge by a person whose data is transferred under the new instrument. It is not unlikely that a challenge would reach the CJEU by the end of 2023 or beginning of 2024. The CJEU would then even have the option to suspend the "Framework" for the time of the procedure. A final decision by the CJEU would be likely by 2024 or 2025. No matter if such a challenge will be successful, this will bring clarity to the "Trans-Atlantic Data Privacy Framework" within about two years.

Max Schrems: "We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law we will then get an answer if the Commission's tiny improvements were enough or not. For the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal - we seem to just add another two years of this ping-pong now."

EU Commission shows little care for rule of law and citizens' privacy. This third attempt to pass largely the same unlawful decision also raises questions as to the larger role of the European Commission being the guardian of the EU treaties. Instead of upholding the 'rule of law' the Commission simply passes an invalid decision over and over again, despite clear rulings by the CJEU. Despite large outrage after the Snowden disclosures in the EU and repeated calls by the European Parliament to take action, the Commission seems to give the diplomatic relations with the US and business pressure on both sides of the Atlantic priority over the rights of Europeans and the requirements of EU law.

Max Schrems: "The Commission is meant to be the 'guardian of the treaties' and the defender or the 'rule of law'. It loves that role when it comes to Member States violating EU law. Now the Commission itself simply ignores the Court of Justice for the third time."