Background. In 2013 Edward Snowden disclosed that the US government used "big tech" companies and programs like "PRISM" or "Upstream" under FISA 702 and EO 12.333 to spy on the rest of the world without the need for probable cause or judicial approval. This was not limited to crime or terrorism, but also included espionage on "partners" of the US. Since a 1995 EU law, personal data may generally not be sent outside of the EU unless there is a "essentially equivalent" protection in the destination country. The US industry heavily relied on a European Commission Decision called "Safe Harbor" that declared the US "essentially equivalent" in 2000. The CJEU has annulled the Commission Decision in C-362/14 ("Schrems I") in 2015, given the vase US surveillance laws. In 2016 the European Commission has passed largely the same Decision on EU-US Data Transfers again, under the new name "Privacy Shield", which was invalidated by the CJEU in C-311/18 ("Schrems II") in 2020 largely on the same grounds.
Ursula's and Joe's "Magic" Tricks. After the annulment of the "Privacy Shield" the negotiations between the EU and the US saw little progress. The US insisted that EU data would stay subject to US mass surveillance and "non-US" persons will not have the same protections as US persons. After little movement for more than 1.5 years, the US has reportedly used the war in Ukraine to put pressure on the EU on sharing personal data. Soon thereafter, Joe Biden and Ursula von der Leyen met on 25 March 2022. The same day, the two have suddenly "solved" what the lawyers were unable to solve and presented an "agreement in principle", a one pager which in essence contained two "tricks" that should calm the public:
Overall the new "Trans-Atlantic Data Privacy Framework" is a copy of Privacy Shield (from 2016), which in turn was a copy of "Safe Harbor" (from 2000). Given that this approach has failed twice before, there was no legal basis for the change of course - only logic of having a deal was political.
Max Schrems, chair of noyb: "They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like 'Privacy Shield' the latest deal is not based on material changes, but by political interests. Once again the current Commission seems to think that the mess will be the next Commission's problem. FISA 702 needs to be prolonged by the US this year, but with the announcement of the new deal the EU has lost any power to get a reform of FISA 702."
Fool me Thrice? Already in the wake of the Snowden disclosures in 2013, the European Commission announced that it will "rebuild" trust and "make Safe Harbor safer" and come up with an "umbrella agreement". In 2016 journalists were told that the "Privacy Shield" would mean that "for the first time, the US has given the EU written assurance", that there would be "clear limitations, safeguards and oversight mechanisms" and even "no indiscriminate mass surveillance". None of these claims and systems has prove stable when put before the CJEU. In the current version of the Commission's public relations efforts, the same (ever-repeating) claims are entertained.
Max Schrems: "We now had 'Harbors', 'Umbrellas', 'Shields' and 'Frameworks' - but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the once from the past 23 years. Just announcing that something is 'new', 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work - and we simply don't have it."
CJEU challenge ready to be filed. Anyone who's personal data will be transferred under the new deal can bring a challenge with Data Protection Authorities or Courts. noyb has prepared various procedural options to bring the new deal back before the CJEU. We expect the new system to be implemented by the first companies within the next months, which will open the path towards a challenge by a person who's data is transferred under the new instrument. It is not unlikely that a challenge would reach the CJEU by the end of 2023 or beginning of 2024. The CJEU would then even have the option to suspend the "Framework" for the time of the procedure. A final decision by the CJEU would be likely by 2024 or 2025. No matter if such a challenge will be successful, this will bring clarity to the "Trans-Atlantic Data Privacy Framework" within about two years.
Max Schrems: "We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law we will then get an answer if the Commission's tiny improvements were enough or not. For the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal - we seem to just add another two years of this ping-pong now."
EU Commission shows little care for rule of law and citizens' privacy. This third attempt to pass largely the same unlawful decision also raises questions as to the larger role of the European Commission being the guardian of the EU treaties. Instead of upholding the 'rule of law' the Commission simply passes an invalid decision over and over again, despite clear rulings by the CJEU. Despite large outrage after the Snowden disclosures in the EU and repeated calls by the European Parliament to take action, the Commission seems to give the diplomatic relations with the US and business pressure on both side of the Atlantic the priority over the rights of Europeans and the requirements of EU law.
Max Schrems: "The Commission is meant to be the 'guardian of the treaties' and the defender or the 'rule of law'. It loves that role when it comes to Member States violating EU law. Now the Commission itself simply ignores the Court of Justice for the third time."