- Thierry Spanjaard
Transatlantic privacy protection is still in limbo
Not only Europe and the United States have different regulations about data protection, they also have a totally different mindset. The European approach is often to make the whole industry meet to set up standards and regulations beforehand while the North American approach is to let the market develop and then expect the judicial system to set up jurisprudence to establish rules of conduct if needed.
The EU has adopted RGPD and enforced it for the last four years. While the application of the rule is not perfect, one can say data protection works to a certain extent. On the other hand the United States situation in terms of personal data protection is still patchy, the most advanced being California Consumer Privacy Act (CCPA), which applies to consumers who are California residents.
A major difference is that while the EU sees privacy as a human right that applies to any human, the US Constitution Fourth Amendment only applies to US citizens or permanent residents. The US administration and governments have no issue wiretapping communications or exploiting personal data as long as it does not concern US citizens or permanent residents.
The first attempt to regulate private data exchanges was known as the International Safe Harbor Privacy Principles, which was applicable from 2000 to 2015. Then, came the Privacy Shield, a transatlantic agreement regulating exchanges of personal data for commercial purposes, which was applicable from July 2016, after having been approved by the European Commission. However, the European Court of Justice declared the Privacy Shield invalid in July 2020. Earlier in 2022, the European Commission and the United States announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework. Under this framework, the US committed to implement reforms that will strengthen the privacy and civil liberties protections applicable to US signals intelligence activities, they said. Especially, the framework was expected to include “safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security.” The framework was also expected to provide “adequate protection of Europeans’ data transferred to the US.”
On October 7, 2022, US president Joe Biden signed an executive order on US surveillance activities, launching the next negotiation step to reach an EU-US agreement. The EU Justice Commissioner Didier Reynders hailed the executive order as a “significant step.” However, several privacy defense organizations state that the proposal in the presidential executive order does not totally respect the principles of the framework. Max Schrems, an Austrian privacy activist, chair of noyb.eu (None of Your Business), considers the new Executive Order is unlikely to satisfy EU law. According to the NYOB website, “there is no indication that US mass surveillance will change in practice. So-called “bulk surveillance” will continue under the new executive order and any data sent to US providers will still end up in programs like PRISM or Upstream.” According to his research, the words “necessary” and “proportionate” do not carry the same meaning in the March framework and in the October executive order. He also states that the “court” referred in the executive order is actually a body within the US government's executive branch, that would not function as a regular court. Max Schrems adds that the executive order contains provisions that were already rejected by the European Court of Justice.
A court battle is probably ahead of us before a full agreement can be found. In the meantime, one may wonder under which legal framework are data transferred across the Atlantic ocean, especially by the GAFAM (Google Apple Facebook Amazon Microsoft), and how to enforce privacy rights for Europeans.