US, EU Officials Defend New Data Deal, Despite PS Inactivity
The new EU-U.S. trans-Atlantic data flow agreement goes far beyond previous deals by allowing EU residents privacy redress and introducing new legal concepts in the U.S., government officials from Washington and Brussels said Monday.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
President Joe Biden signed an executive order earlier this month initiating finalization of the EU-U.S. Data Privacy Framework (DPF), successor to the now-defunct Privacy Shield (PS) (see 2210070069). The European Commission is drafting an adequacy decision, the EU’s response to the EO. It could take six months between issuing a draft proposal and adopting a final adequacy decision, said Alisa Vekeman, a European Commission policy officer who helped negotiate the agreement, during an Atlantic Council livestream.
Two elements in the new deal are key, said Vekeman and Commerce Department PS Director Alex Greenstein: U.S. intelligence agencies agreed to engage in foreign surveillance only where “necessary” and “proportionate,” and the deal establishes a new data protection review court in the U.S. with the purpose of providing independent redress for individuals. The new review court goes “much, much beyond” the PS ombudsperson, said Greenstein. Vekeman noted the ombudsperson was a member of the administration, subject to political hierarchy without investigatory powers. Neither Greenstein nor Vekeman addressed that the ombudsperson fielded zero European complaints about U.S. surveillance during the two-year PS agreement (see 2204130070).
Under the new agreement, EU residents can complain to a civil liberties officer within the Office of National Intelligence, and they can appeal any decision to the new data protection review court. It’s “very different” from the PS, as it's fully independent with investigative powers and stronger authority, said Vekeman. She noted the new court's members will be appointed using the same criteria for appointing federal judges in the U.S. They will adjudicate without any government interference, she said.
The EO defines “legitimate objectives” for U.S. surveillance, said Vekeman, citing anti-terrorism efforts as an example. The EO also lists objectives for which foreign surveillance is never allowed, like suppressing political opinions, she said. And the EO includes conditions for how data can be shared with third parties, she said. The EO memorializes that U.S. intelligence agencies will need to make balancing decisions in a more transparent way, and they will be held accountable, said PwC privacy consultant Jocelyn Aqua.
Questions remain about how U.S. courts will interpret European legal concepts like “necessary” and “proportionate.” Proportionality, a German legal concept, hasn’t really “penetrated” the U.S. legal system, said Aqua. Christopher Kuner, Wilson Sonsini senior privacy counsel in Brussels, cautioned that the two sides remain very far away from a formal agreement that companies and intelligence agencies can rely on because the EU is working through its adequacy decision. The agreement is also very likely to be challenged so it’s an open question whether the two sides have a strong, stable framework to replace the PS, he said.
The Commerce Department is working with companies to ensure a smooth transition to the new agreement, said Greenstein. The data protection framework expected in the next few weeks will help thousands of companies that relied on the PS, said Aqua. However, she said many companies will continue to rely on their existing contracts' standard contractual clauses, which are the default standard since invalidation of the PS.