Given Max Schrems’ previous involvement in the invalidation of the last two EU-US data transfer deals, it is unsurprising that he has penned another open letter to the relevant stakeholders of the new Trans-Atlantic Data Privacy Framework.
The new framework attempts to address two concerns of the Court of Justice of the EU (“CJEU”) that are related to US surveillance laws: (1) the scope and proportionality of permissible US national security surveillance activities; and (2) the availability of redress mechanisms for non-US data subjects whose personal data is determined to have been collected improperly by those US state agencies.
Although further details of the future deal are yet to be announced, Schrems, a well-known global privacy advocate, has pointed out that the deal is mainly based on a political agreement between Commission President von der Leyen and US President Joe Biden, and not the result of any material changes to US law in response to the CJEU’s Schrems II judgment. In 2020, the CJEU struck down the EU-US Privacy Shield after Schrems successfully argued it gave US government agencies access to EU citizens’ personal data without proportionate protection. Since then, organisations have been largely relying on the EU-approved standard contractual clauses as a legal basis for their international data sharing between the EU and US. Following Schrems’ comments, this deal in respect of trans-Atlantic data transfers appears to be at risk of sharing the same fate as its two predecessors.
The following observations and recommendations have been put forward by Schrems:
Applying a correct proportionality test on US surveillance law under Article 8 of the EU Charter of Fundamental Rights (“CFR”)
In the previous CJEU judgments (Schrems I and Schrems II), the CJEU found that US surveillance laws and practices violate Article 7, 8 and 47 of the CFR and explicitly that those laws were not, in the eyes of the CJEU, “necessary and proportionate”.
Schrems pointed out that although the US plans to include the words “necessary and proportionate” in the new executive order, they are simply empty words because the US failed to reduce bulk surveillance of non-US data subjects.
Creating meaningful judicial redress under Article 47 CFR (right to effective remedy and to a fair trial)
The new framework proposes to create a new “body” called the Data Protection Review Court within the executive branch of the US Government that will deal with potential violations of US law and executive orders. However, it seems that EU data subjects will not be able to access information held about them from the potential surveillance operations during proceedings and cannot appeal decisions from this “Court”. Schrems labelled this as a “rubber stamp” institution with no practical relevance.
The need to update commercial privacy protections
There appears to be no updates to the Privacy Shield Principles and continues to rely on the “Safe Harbour” principles from 2000, with minor updates in 2016. GDPR requirements such as having a legal basis and requiring data processing to be “necessary” have not been taken into account in this proposed deal.
In summary, Schrems continues to challenge the usage of nationalistic concepts for the protection of personal data and calls for more modern interoperability clauses regarding international data transfers.
Written by Noel Hung