Max Schrems, through his organisation, ‘My Privacy is None of your Business’ (“noyb.eu”) has issued an open letter to U.S. and EU officials about the announcement of an ‘agreement in principle’ for a new Trans-Atlantic Data Privacy Framework (“letter”). The letter coincides with a visit to Washington, D.C. by a delegation of several members of the European Parliament’s Civil Liberties Committee, to discuss EU-U.S. cooperation in the protection of personal data.
The letter sets out “preliminary observations” based on the announcement between European Commission President von der Leyen and U.S. President Biden; and subsequent further details that the letter states were informally shared with stakeholders.
The letter warns that the announced framework risks “sharing the same fate” as its two predecessors, Safe Harbor and Privacy Shield 1.0 – which were both invalidated by the CJEU – “unless substantive (legislative) reforms are conducted in the United States”.
The letter outlines several concerns which noyb.eu believes raises questions over the stability of future European Commission adequacy agreements, highlighting the following key areas of concern:
- Applying a correct proportionality test on US surveillance law under Article 8 Charter of Fundamental Rights of the European Union (CFR) – noyb.eu criticises the fact that negotiators do not plan to seek amendments to US statutory law in relation to material surveillance, but instead plan to replace Presidential Policy Directive 28 (PPD-28) on Signals Intelligence Activities with a new executive order that would include the words “necessary and proportionate”. Noyb.eu concludes that this approach seems to “merely satisfy the political, diplomatic and PR requirements of both sides”, but does not take into account the fact that the CJEU has already found that US surveillance is not “necessary and proportionate” and the US will continue these practices.
- Creating meaningful judicial redress under Article 47 CFR – the letter states that the plan for the US executive to form a new “body” within the executive branch to deal with potential violations of US law and executive orders is not compliant with Article 47 CFR – as the new body will be part of the executive branch with ‘limited independence’.
- The need to update commercial privacy protections – noyb.eu raises concerns that there are no planned updates to the Privacy Shield Principles, which noyb.eu states “is hugely problematic”, as the principles are not in line with the GDPR requirements.
- The future of international data transfers – noyb.eu concludes that “the conflict of (interoperable) privacy protections and (nationalistic) surveillance laws hinder international data flows, trade, and convergence”, in particular, as national surveillance laws in the US and the EU still use concepts tied to citizenship – lacking modern interoperability clauses.
- Reaction to any new adequacy decision – noyb.eu raises concerns that the European Commission may “knowingly adopt another unlawful adequacy decision with the aim of undermining the CJEU’s judgements”.
Despite noyb.eu’s detailed letter, there is still very little information about the substance of the proposed Trans-Atlantic Data Privacy Framework, and no draft legal text has been released. However, the letter provides a helpful indication of those areas where noyb.eu is likely to direct its focus – and legal challenges – if it concludes the new agreement is deficient. It should also be noted that the letter is very much an advocacy paper and many of the points raised rely on open questions of law. Ultimately, wherever the final text of Privacy Shield 2.0 lands it will be up to the courts and (probably) the CJEU to determine whether the new regime is consistent with the CFR and GDPR.
It is clear that the EU and US have significant challenges to overcome and that the devil is in the detailed drafting. The parties will need to work hard to find a convincing and robust solution to avoid the same fate suffered by Safe Harbor and Privacy Shield 1.0.
If you have any questions about the content of this post, please contact your usual DLA Piper lawyer.