Congressional Report Released on EU-U.S. Data Privacy Framework
Previously, ADCG reported that on October 7, 2022, President Joe Biden signed an executive order to secure a data transfer agreement between the European Union (EU) and United States (US).
On October 24, 2022, the Congressional Research Service (CRS) released a report titled “The EU-U.S. Data Privacy Framework: Background, Implementation, and Next Steps” (the “Report”). The Report “explains the circumstances leading to the development of the Data Privacy Framework, U.S. steps to implement the framework, and issues of possible interest to Congress.”
One predominant concern under the Report is the decision by the Court of Justice of the European Union (CJEU) in 2020 declaring the Privacy Shield Program invalid. The Privacy Shield Program was designed via a EU the U.S. collaborative efforts and in 2016 it was determined to be “adequate to enable data transfers under EU law.”
The CJEU’s 2020 determination “relied primarily on the extent of U.S. surveillance of individuals located outside the United States under Section 702 of the Foreign Intelligence Surveillance Act (FISA), enacted in 2008, and Executive Order 12333, signed by President Reagan in 1981.” According to the CJEU, the Privacy Shield Program did not “lay down clear and precise rules” that “impos[e] minimum safeguards” to protect consumer’s personal data. As such, when U.S. personal data surveillance is utilized on EU individuals they are without “adequate administrative or judicial remedy for unlawful use of their data.”
The Report holds that these CJEU concerns and bases for invalidation of the framework in 2020 may only be echoed under the new framework. The Report states the creation of the Data Protection Review Court under the new framework was a “necessary step,” but states “several steps remain before commercial entities may rely on the Framework.”
Specifically, the Report poses that there will need to be resolution to the question of “what exact obligations will govern commercial entities[]” since this framework will not only permit data exchange by U.S. intelligence operations — like the Privacy Shield Program — but will also authorize private commercial participants to engage in these transfers.
Additionally, the Report poses that the new Data Privacy Framework “may raise several issues of potential congressional interest.” These include Congress’s interest in authorizing U.S. participation in the framework due to the “importance of transatlantic data flows to U.S.-EU trade and economic relations.” CRS poses that the revocability of an executive order may lead Congress to initiate safeguards through legislation, rather than executive action, so that it may be codified.
There has been no response by either governmental body as to the contents of this report, but these concerns are not limited to the opinions of CRS. In fact, Maximillian Schrems, the Austrian privacy activist who has been at the forefront of the invalidation of both privacy shield proposals, has already issued an article stating he believes that the contents of the Framework is “unlikely to satisfy EU law.”
The article includes the following statement from Schrems: “"It is amazing that the EU and the US actually agree that wiretapping needs probable cause and judicial approval. However, the US takes the view that foreigners don't have privacy rights. I doubt that the US has a future as the cloud provider of the world, if non-US persons have no rights under their laws. It is contradictory to me that the European Commission is working on a deal that accepts that Europeans are 'second class' citizens and don't deserve the same privacy rights as US citizens."