New EU-US data transfer pact may fall short of what EU wants, Max Schrems says
There is no sign that the US mass monitoring will alter in practice
Austrian privacy activist and lawyer Max Schrems has warned European Union and United States policymakers that President Biden's executive order, which last week set forth new guidelines for how the US and Europe share people's private personal information, may still fall short of what the EU wants.
On Friday, US President Joe Biden signed a new executive order to implement a new framework to preserve the privacy of personal data that is exchanged between the US and EU.
US Commerce Secretary Gina Raimondo said the executive order "is the culmination of our joint effort to restore trust and stability to transatlantic data flows" and will protect the privacy of EU citizen's personal data.
The new framework is intended to close the significant gap in data protections on both sides of the Atlantic since the Court of Justice of the European Union (CJEU) in July 2020 ruled that the prior EU-US Privacy Shield framework was not valid as a data transfer mechanism under EU law.
The court determined that the US had an excessive amount of power to monitor European data transferred through the previous system.
According to the CJEU's order, US surveillance must be proportionate as defined by Article 52 of the Charter of Fundamental Rights (CFR) and must provide access to judicial redress as required by Article 47 CFR.
'Privacy Shield 2.0' aims to allay European worries about potential US intelligence agency surveillance.
The White House stated in March in a fact sheet that the US was "committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives."
The White House press release says Biden's executive order limits the types of signals intelligence that US spy agencies can gather and places information collection behind a number of layers of restrictions, including ensuring that only tightly tailored data is gathered.
The new framework also establishes a Data Protection Review Court comprised of non-government employees to hear complaints from EU citizens, provided that their grievances first make their way through the civil liberties team at the Office of the Director of National Intelligence for review.
Biden's executive order will now be sent to Brussels, where EU officials may examine it for up to six months. A new data agreement is anticipated to be completed around March 2023, although privacy advocates are expected to challenge the decision in court.
Campaigners claim that the executive order makes no substantive changes and simply repeats the language of European law, adding words like "proportionate" and "necessary".
The new order, according to Schrems, "seems to fail" in some crucial areas. While some language may have changed in the new agreement, he claims that the EU and US still don't seem to be using the same definitions for words like "proportionate."
Furthermore, there is no sign that the US mass monitoring will alter in practice.
"In the end, the CJEU's definition will prevail, likely killing any EU decision again. The European Commission is again turning a blind eye on US law, to allow continued spying on Europeans," he stated.
"We do not see a ban on bulk surveillance and no actual limitations."
Schrems' privacy rights group NOYB said that the Data Protection Review Court is not a real court as legally defined by the US law.
The group also criticised the scope of the EU citizens' legal options, claiming there was no further assurance that they would be heard beyond the previous frameworks.
"We will analyse this package in detail, which will take a couple of days," Max Schrems said.
"At first sight it seems that the core issues were not solved, and it will be back to the CJEU sooner or later."