Governance & Risk Management , Government , Industry Specific
EU-US Data Privacy Framework in Activist's CrosshairsEuropean Commission Took Key Step in Finalizing Trans-Atlantic Data Flow Framework
An Austrian privacy activist with a track record of derailing the legal framework underpinning of commercial trans-Atlantic data flows is suggesting he will try again following a key move by the European Commission to formally accept a compromise framework unveiled earlier this fall.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The European Commission adopted on Dec. 13 a draft adequacy decision paving the way for formal European ratification of a pact dubbed the EU-U.S. Data Privacy Framework (see: President Biden to Sign Order for Trans-Atlantic Data Flows). EU Justice Commissioner Didier Reynders told a Brussels audience earlier this month he expects the pact to be finalized before July.
The Data Privacy Framework has a "7 or 8 out of 10 chance" of withstanding a legal challenge, he said. This newest bid is the third attempt for a trans-Atlantic legal framework assuring that companies such as Facebook and Google can continue to obtain, store and analyze Europeans' data in centers located outside the continent.
The framework is the outcome of nearly two years of negotiations between Brussels and Washington, instigated by a Court of Justice of the European Union 2020 decision invalidating Privacy Shield, the legal framework that allowed trans-Atlantic commercial data flows since mid-2016.
Key commitments extracted from the United States include a pledge to keep intelligence gathering on Europeans proportional to national security and a new tribunal within the U.S. Department of Justice staffed to review European claims that personal information was wrongly swept up by U.S. intelligence agencies.
The European Court of Justice's ruling invalidating Privacy Shield was actually the second time Europe's highest court found U.S. assurances about privacy protections for ordinary European against American intelligence gathering to be wanting, having in 2015 struck down a previous arrangement known as Safe Harbor.
Max Schrems, the privacy activist who brought both cases, reacted to the European Union's issuance of a draft adequacy decision by saying it appears vulnerable to another round of litigation. "It seems that the European Commission just issues similar decisions over and over again - in flagrant breach of our fundamental rights," he said in a statement published by NOYB - European Center for Digital Rights, the activist organization he co-founded. "I can't see how this would survive a challenge before the Court of Justice," Schrems said.
Digital data flows underpin trade and investment between the United States and Europe, a relationship the federal government assesses is worth $7.1 trillion. Trans-Atlantic trade in information and communications technology services was worth more than $264 billion in 2020. A recent study commissioned by trade association Digital Europe concluded that a loss of cross-border data flows on exports from data-reliant sectors would lead to an annual reduction in EU gross domestic product of 330 billion euros annually.
The commission's draft decision is now set to be reviewed by the European Data Protection Board, after which a majority of member states must give the commission the go-ahead for final approval. The European Parliament may also issuing a nonbinding opinion.