Major U.S. information technology companies are hoping to charm the European Union’s high court with a third attempt to clear their way in moving data across borders where laws governing privacy and data security have been fundamentally different.
The Biden administration plans to issue an executive order to oversee limitations on U.S. government surveillance activity that it believes will satisfy the Court of Justice of the European Union in consideration of U.S. companies’ data management and their citizens’ privacy rights.
The “Trans-Atlantic Data Privacy Framework,” announced in a joint statement from the White House and the European Commission Friday, is the third iteration of an arrangement the governments—along with industry—have tried to establish over the last decade to allow U.S. companies to handle Europeans’ data, despite a gap in their respective privacy laws. The administration expects an “agreement in principle” on the new arrangement will succeed where the “U.S.-EU Privacy Shield” arrangement of 2016 and the “Safe Harbor” arrangement of 2000 have failed.
The European court has now twice ruled in favor of European citizen activist Max Schrems. In 2015 he argued—in Schrems I—that revelations then federal contractor Edward Snowden made about a National Security Agency data collection program—PRISM—should invalidate Safe Harbor. He also argued—in Schrems II—that standard contract clauses companies ended up using under the replacement Privacy Shield agreement did not address potential violations of his privacy protections.
“The court held that the US does not provide for an essentially equivalent, and therefore sufficient, level of protection as guaranteed by [Europe’s General Data Protection Regulation and the European Union’s Charter of Fundamental Rights],” reads the European Parliament’s summary of the July, 2020, decision. “The legal bases of US surveillance programmes such as PRISM and UPSTREAM are not limited to what is strictly necessary and would be considered a disproportionate interference with the rights to protection of data and privacy, since they do not sufficiently limit the powers conferred upon US authorities and lack actionable rights for EU subjects against US authorities.”
According to the joint statement released Friday, Commerce Secretary Gina Raimando and EU Commissioner for Justice Didier Reynders have spent more than a year negotiating the broad outlines of the new arrangement and are now preparing specifics, which will entail the issuance of the new executive order.
“The United States and the European Commission announce that we have agreed in principle on a new Trans-Atlantic Data Privacy Framework, which will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020,” the statement reads. “The teams of the U.S. Government and the European Commission will now continue their cooperation with a view to translate this arrangement into legal documents that will need to be adopted on both sides … For that purpose, these U.S. commitments will be included in an executive order that will form the basis of the Commission’s assessment in its future adequacy decision.”
The Information Technology Industry Council, which represents Facebook and other multinational information technology companies, has pushed for a replacement to Privacy Shield and welcomed the joint statement Friday. The U.S. commitments—which the executive order will look to implement—are still very much unclear.
Under the new framework, the U.S. will “put in place new safeguards to ensure that signals surveillance activities are necessary and proportionate in the pursuit of defined national security objectives, establish a two-level independent redress mechanism with binding authority to direct remedial measures, and enhance rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities,” according to the joint statement.