EU-US Data Privacy Framework to face serious legal challenges, experts say

Nine months after US President Joe Biden signed an executive order that updated rules for the transfer of data between the US and the EU, the European Commission this week ratified the EU-US Data Privacy Framework. Industry experts, however, say it will be challenged at the European Court of Justice (CJEU), and stands a good chance of being struck down.

The move comes three years after the CJEU shut down the previous EU-US data sharing agreement, known as Privacy Shield, on grounds that the US doesn’t provide adequate protection for personal data, particularly in relation to state surveillance. In 2015, a previous attempt to forge a data sharing pact, dubbed Safe Harbor, was also struck down by the CJEU.

The President of the European Commission, Ursula von der Leyen, said the new framework should provide “legal certainty” to transatlantic businesses, calling the commitments “unprecedented.”

“Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values,” she said in a statement. “It shows that by working together, we can address the most complex issues.”

However, industry experts expect the accord to face a plethora of legal challenges from privacy advocates before ultimately being struck down like its predecessors.

“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong,” said Max Schrems, an Austrian lawyer and privacy activist who founded NOYB (None of Your Business) – European Center for Digital Rights. In 2016 and 2020, Schrems initiated legal proceedings against Safe Harbor and Privacy Shield, respectively, which led to the CJEU invalidating both agreements.

“We currently expect this to be back at the Court of Justice by the beginning of next year,” Schrems said in a statement published on NOYB’s website.

US privacy laws need fundamental overhaul for agreement to proceed

The EU-US Data Privacy Framework is based on the executive order signed by Biden in October 2022. In essence, the agreement places new restrictions on electronic surveillance by American intelligence agencies and gives Europeans new avenues to launch a complaint when they believe their personal information has been used unlawfully by US intelligence agencies.

This in itself could prove problematic since, if the next US presidential election should see the top job go to a Republican candidate, there’s a very real chance this executive order could be overturned, pulling the rug out from underneath the agreement, said Nader Henein, an analyst at Gartner. When Donlad Trump became president in 2016, he ripped up a number of international treates that had been approved by his predecessor, Democratic President Barack Obama.

While privacy experts have said from the outset that the agreement doesn’t adequately address the issues that led to Safe Harbor and Privacy Shield being struck down, it’s not a surprise the agreement was signed despite its high chance of failure.

“Both the EU and the US have invested a significant amount of effort in getting a new deal signed,” said Jonathan Armstrong, a compliance and technology lawyer at UK-based compliance specialists Cordery.

“Some of the messaging suggests that both parties want to do a deal even if it ends up with a case of ‘deja vu all over again’,” he said, while noting that the Data Privacy Framework is no where near as impervious to legal challenges as some of the accord’s promoters have suggested.

Although the agreement takes a few steps forward in terms of providing European data with protections from US law enforcement, it does not come close to meeting the requirements laid out by the European Court of Justice when it invalidated its predecessors, said Henein, echoing Armstrong’s skepticism.

“We expect it’s going to be invalidated in two to five years,” he said, describing the situation as a “tedious groundhog day” that is essentially just a can-kicking exercise that will end up being a headache for future administrations long after the current signatories have left office.

The US Constitution does not guarantee privacy per se, with laws and regulations around the issue having to be extracted from Fourth Amendment protections against illegal search and seizure. To pave the way to an agreement that is likely to pass CJEU scrutiny, the US would need to extend the same privacy protections to non-US citizens, a policy that Henein said would be incredibly politically unpopular and would likely see champions of a legal overhaul labelled as “antiprotection” and accused of opposing intelligence gathering efforts that could protect the country.

Currently there are no federal laws covering how companies store and protect personal data, which has led individual states enacting their own legislation, Henein noted.  “There are no privacy protections relating to enterprise companies so they’re now being passed at the state level,” Henein noted, adding that to date only 13 states out of 50 have passed such protections, meaning that it’s still early days for privacy legislation in the US.

“For legislation to advance so it doesn’t just cover US citizens, but also governs data pertaining to people sitting and living in other countries once that data lands legally in the US, is a tall order,” he said.

Businesses want clarity about data privacy

Both Armstrong and Henein agree that businesses want clarity around data-privacy issues, but unfortunately, the Data Privacy Framework doesn’t provide it.

Organizations need rock-solid regulations, not a plan that causes widespread panic every three years when it gets struck down and leaves companies noncompliant overnight, Henein said, adding that organizations cannot afford to pin their 10-year strategy on something that won’t survive half that time frame.

If the deal does survive a legal challenge, however, it could change some aspects of the data protection landscape, Armstrong said, noting that more cross-boarder data protection pacts and copy-cat deals in countries such as Switzerland and the UK could occur. Since leaving the EU, the UK has been in talks with the US about a new data transfer scheme that would be similar to Data Privacy Framework, while Switzerland has been in discussions with the US for an agreement that mirrored Privacy Shield before it was struck down.

“Data transfer will remain complex as it reflects world events,” Armstroing said. “Since global politics are complex, so global data transfers will remain complex too.”