The EU-U.S. Data Privacy Framework: More Steps Needed to Repair Trust in Data Flows

The new EU-U.S. Data Privacy Framework (EU-U.S. DPF) reads as a good faith effort to maintain transatlantic data flows following the Court of Justice of the European Union’s (CJEU) 2020 decision to invalidate the Privacy Shield—a diplomatic milestone, but not a comprehensive reform of U.S. government surveillance. Keeping in mind its trade-oriented motivations, the Biden administration’s Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities and related Department of Justice (DOJ) regulations take a targeted approach to meet two primary benchmarks that the CJEU set in Schrems II.

First, the executive order pledges to tailor U.S. signals intelligence collection to what is “necessary” and “proportionate” to protect both national interests and individual privacy and civil liberties, directly adopting terminology from the EU Charter of Fundamental Rights. Going further, it generally instructs U.S. agencies to limit signals intelligence to 12 contexts, such as the advancement of climate action, public health, election integrity, and cybersecurity—and authorizes them to conduct bulk surveillance in six, including to protect against international terrorism and espionage, where the information in question “cannot reasonably be obtained by targeted collection.”

Second, it creates a new “redress” mechanism to allow individuals in “qualifying states” to request a more independent review of potential privacy or civil liberties violations by U.S. intelligence agencies. Under this framework, the Civil Liberties Protection Officer (CLPO) within the Office of the Director of National Intelligence (ODNI) is delegated authority to investigate complaints of suspected surveillance and mandate “appropriate remediation” for any unlawful violations. In addition, the DOJ will establish a new Data Protection Review Court (DPRC) with the power to review CLPO determinations.

Notably, the executive order only grants access to the redress mechanism for individuals in “qualifying states” that the U.S. attorney general designates, which would presumably include the European Union. The attorney general may also rescind “designation” if a qualifying state fails to provide adequate privacy safeguards for U.S. individuals or permit data flows with the United States. The EU-U.S. DPF is not the first U.S. policy to incorporate reciprocity in some form; for example the CLOUD Act, despite attracting separate but familiar EU concerns over data transfers, requires foreign governments to maintain “robust substantive and procedural protections for privacy and civil liberties” and to “promote and protect the global free flow of information” to be eligible to enter an agreement.

Aligning EU and U.S. Privacy Standards

Now that the Biden administration has laid out the parameters of the new EU-U.S. DPF, the European Commission is expected to formally adopt an adequacy decision over the next few months. But the greater test will lie within the EU judicial system—if the EU-U.S. DPF is challenged in court, the CJEU will need to determine that these U.S. privacy standards are “essentially equivalent” to those in the European Union in order to sustain cross-border data transfers.

Already, advocates have called out some of the cultural differences between the United States and European Union toward privacy. For example, the White House executive order’s reference to “legitimate privacy interests” contrasts with the European Union’s concept of data protection as a “fundamental right.” Max Schrems, the original litigant in both Schrems cases, has also commented on a possible divergence between the U.S. and EU definitions of terms like “necessary” and “proportionate.” And while more prescriptive than Presidential Policy Directive 228 (PPD-28), the executive order’s permitted objectives for targeted and bulk signals intelligence are still fairly broad, so their actual level of protection could depend on how U.S. agencies interpret and enforce them in practice.

These differences reflect more than a choice of vocabulary; there are distinct elements of the U.S. and EU legal systems that are difficult to align. For example, the EU-U.S. DPF places the DPRC within the Department of Justice, instead of the judicial branch, ostensibly in part to permit EU individuals to file complaints without meeting U.S. constitutional standing requirements. However, despite some provisions to promote independence within the DPRC (e.g., the executive order’s requirement to choose DPRC members from outside the U.S. government), it remains to be seen whether an Article II court can guarantee the perceived impartiality of review—at least in the eyes of the EU public and judiciary. In addition, as Max Schrems has already pointed out, the redress mechanism is extremely limited; even if the CLPO or DPRC determines that an individual has suffered an unlawful privacy violation, the U.S. government will not directly tell complainants that they have been surveilled, and complainants will not receive legal remedies.

Even outside of these structural legal constraints, the Biden administration could potentially alleviate some criticism of U.S. surveillance authorities by improving public transparency where feasible. To an extent, the executive order acknowledges the role of public oversight by providing for the declassification of some records related to the redress mechanism, as well as tapping the Privacy and Civil Liberties Oversight Board (PCLOB) to annually review the efficacy and timeliness of the CLPO and DPRC process and disseminate their findings through public certifications and unclassified reports. Still, the administration could strengthen the redress mechanism by addressing one significant gap: since most individuals who are implicated by surveillance under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 are never notified in the first place, it may be less likely for prospective complainants to come forward and bring privacy concerns to the CLPO or DPRC.

Promoting Trust in Cross-Border Data Transfers

What Schrems I and Schrems II ultimately reveal is a global lack of trust in U.S. data protection and government surveillance—as well as the economic risks of its absence. Both the United States and European Union count the other as a major trading partner, and they collectively make up approximately one-third of the world’s GDP. In other words, neither jurisdiction can afford to stop transatlantic data flows. Back in February, Meta, one of the most powerful corporations in the United States, warned that it might have to pause some operations in the European Union unless a new data transfer framework came in place—and it was far from the only company affected by the uncertainty surrounding Schrems II.

Because the Schrems II decision did not address private sector practices or Privacy Shield commercial principles, the EU-U.S. DPF is not expected to substantially amend obligations for U.S. businesses that process information related to EU individuals. Even so, legislative action above and beyond the parameters of Schrems II could improve the European Union’s overall view of the U.S. data protection landscape—which, in turn, could demonstrate shared values on privacy and help achieve a long-term adequacy decision under the General Data Protection Regulation. That is why, in addition to codifying the Biden administration’s executive order into statute, Congress could help strengthen the transatlantic partnership by passing a federal comprehensive data privacy law; strengthening the Federal Trade Commission’s ability to enforce EU-U.S. DPF self-certifications, as Privacy Shield non-compliance penalties have been relatively light; and addressing voluntary sales of personal information by data brokers and other digital platforms to U.S. government agencies, outside Section 702 of FISA and Executive Order 12333.

To build a stronger foundation in trust, the United States will need to follow not only the letter of the EU-U.S. DPF, but the spirit. Both the United States and its trade partners could benefit from what the EU-U.S. DPF does not explicitly contain: a more holistic reassessment of digital privacy protections and government surveillance beyond just a narrow focus on the concepts of necessity, proportionality, and redress. The EU-U.S. DPF is a step towards improving privacy in this regard, but hopefully it will not be the last.

Caitlin Chin is a fellow with the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

The author would like to thank Georgia Wood for her comments and review.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2022 by the Center for Strategic and International Studies. All rights reserved.