New EU-US data privacy framework seems destined to fail, again

The EU and US have cobbled together yet another framework that claims to protect EU data stored in the US but there are still many reasons to be sceptical.

This has been an issue for years, largely because much of what takes place on the internet is controlled by US companies, who have most of their servers over there. The EU is inclined to prevent the transfer of its citizens’ data to the US unless it can be sure it will be protected. For some reason the EU seems to think the US security state will snoop on that data, given half the chance, and the US government has struggled to reassure it otherwise.

Yesterday, in typically Eurocratic language, the European Commission adopted a ‘new adequacy decision for safe and trusted EU-US data flows’. This was the result of the EC concluding the US now ensures an adequate level of protection for EU data transferred over there. The ultimate point of this sort of thing is for that data to be able to be transferred without any other legal, regulatory or other logistical impediments.

“Today’s decision is the result of intense cooperation with our partners in the US, working together to ensure that Europeans’ data travels safely, wherever it goes,” said Věra Jourová, EC VP for Values and Transparency. “The new adequacy decision will provide legal certainty for businesses and will help further consolidate the EU as a powerful player in transatlantic markets, while remaining uncompromising on respecting fundamental right of Europeans for their data to be always protected.”

“Since the Schrems II decision came out years ago, I have worked tirelessly with my US counterparts to address the concerns identified by the Court of Justice, and ensure that technological advances do not come at the cost of Europeans’ trust,” said Didier Reynders, Commissioner for Justice. “But as close like-minded-partners, the EU and the US could find solutions, based on their shared values, that are both lawful and workable in their respective systems.”

The decision referred to was the rejection of the previous such effort, called the EU-US Data Protection Shield, thanks in large part to the efforts of Austrian privacy activist Max Schrems. The EC seems to think it has addressed the concerns that resulted in that Court of Justice (CJEU) rejection but others, including Schrems himself, are unconvinced.

“They say the definition of insanity is doing the same thing over and over again and expecting a different result,” said Schrems, via the organisation he founded NOYB (none of your business). “Just like ‘Privacy Shield’ the latest deal is not based on material changes, but by political interests. Once again the current Commission seems to think that the mess will be the next Commission’s problem. FISA 702 needs to be prolonged by the US this year, but with the announcement of the new deal the EU has lost any power to get a reform of FISA 702.

“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law we will then get an answer if the Commission’s tiny improvements were enough or not. For the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal – we seem to just add another two years of this ping-pong now.

“The Commission is meant to be the ‘guardian of the treaties’ and the defender or the ‘rule of law’. It loves that role when it comes to Member States violating EU law. Now the Commission itself simply ignores the Court of Justice for the third time.”

The original focus of Schrems’ activism, Facebook, sees things somewhat differently.

Given the many public admissions by Facebook and other US tech companies of them coming under pressure to act from the US security state, as well persistent political pressure on internet platforms to censor their users, it’s hard to place much trust in this latest collaboration between such organisations. To keep proposing the same thing over and over again until it’s accepted is a standard EU tactic but, thanks to the likes of Schrems, it seems unlikely to work in this case

Get the latest news straight to your inbox. Register for the Telecoms.com newsletter here.