Authors: Beatrice Gori, Giovanni Tricco and Giorgia Zaghi.
On March 25, amid a week of summits in Brussels overshadowed by the Ukrainian war, Joe Biden and Ursula Von Der Leyen in a joint meeting unexpectedly announced a new transatlantic data privacy agreement in principle, clearly showing the political status nearby the issue. Since the fall of the previous privacy shield in 2020 the data flows between the two transatlantic actors have been surrounded by uncertainty, making it difficult for companies, particularly SMEs, to conduct business. Transatlantic data and information flows between the United States and the European Union are estimated to be valued at over $7.1 trillion dollars with over 5300 companies participating, including technology behemoths such as Google, Meta and Microsoft. Therefore, a new agreement is well expected by both sides of the Atlantic since the Court of Justice of the European Union (CJEU) decision in Schrems II which called for the unproportionate capability of US surveillance capabilities and the lack of an effective redress body for European data owners.
The new Transatlantic data pact is expected to heal such gridlocks and foster the data economy in the near future. However, a text has not been published, raising serious doubts among privacy experts. Max Schrems, the Austrian privacy activist who has torn down the two previous agreements, welcomed the new pact as “a lipstick on a pig” calling for future challenges in front of the European judicial system. The line between whether such a new agreement will fulfill the CJEU criteria or pave the way for a Schrems III is exceedingly thin. Nonetheless, the question is surrounded by different controversies, indeed The CJEU highly criticized US practices without taking into account the national capabilities of its Member States. Several reports, including one from theEuropean Fundamental Right Agency (FRA) and from the United Nations High Commissioner for Human Rights, outlined how surveillance programs conducted by European intelligence services allegedly vary from collecting traffic metadata from diverse sources to monitoring web forums and intercepting cable-bound transmissions.
Indeed, in Europe surveillance activities fall under the scope of national security, which is a matter of national competence according to the Treaty of the European union (TEU), therefore European courts cannot legislate or address changes to its Member States. The EU courts’ approach has provoked anger and disbelief among US national security experts: “mix of judicial imperialism and Eurocentric hypocrisy”, as pointed out by Steven Baker a partner in the law firm Steptoe & Johnson LLP and former general counsel of the National Security Agency (NSA). Therefore, while the CJEU’s Schrems II decision emphasized how the current laws inadequately protect the right of non-nationals to judicial redress in the United States, additional surveillance and intelligence reform should be addressed even in the EU to create a political momentum for legislative intervention in the American congress. Until that moment as underlined by Peter Swire it is “unrealistic for the EU to demand changes to U.S. national security legislation when European countries themselves are not averse to similar practices.”
Swire's forecast appears to have come true, in the fact sheet released by the US government no legislative amendments are mentioned; instead, it calls for the establishment of a new redress mechanism and other safeguards to satisfy the CJEU’s request via a Presidential Executive Order (EO). Such a process would raise doubts regarding the capacity of the new mechanism to be independent and able to investigate wrongdoings by the American Intelligence Communities (IC). Theoretically, this would represent the same issues of the Ombudsman of the old-fashioned Privacy Shield. However, an intriguing solution t has been envisaged by experts. They call for the creation of an independent redress authority via a regulation of the Department of Justice (DOJ) which will be independent by the executive, in conjunction with EOs from the President that would confer to the newly redress authority concrete capability to effectively investigating redress requests and for issuing decisions that are binding on the entire American IC. A non-statutory solution according to them that would – theoretically – satisfy the request of the European courts in Schrems II.
The European Data Protection Board (EDPB) made the point clear in its statement saying that it will direct “special attention to how this political agreement is translated into concrete legal proposals.” Therefore, until a text is missing just speculation can be made. Indeed, at the moment the political agreement made on 25 March 2022 is just the latest step on the ‘intense negotiations’ on a Privacy Shield replacement, as stated by the European Commissioner of Justice Didier Reynders, who announced that the works for a final text is undergoing in order to have the final agreement for late 2022. He pointed out that: "It is difficult to give a precise timeline at this stage, but we expect that this process could be finalized by the end of this year. On the European side there is trust in the work and commitment of American officials. Indeed, the U.S. Department of Commerce Deputy Assistant Secretary for Services Christopher Hoff said to IAPP that the United States made unparalleled commitments to significantly increase privacy and civil liberties safeguards through the establishment of the new multi-layered redress mechanism, assuring that it will be independent and binding in its safeguards on how the court is set up, as well as the protections for the judges' selection and removal. In addition, he pointed out that he strongly believes that the agreement will be durable and that all the features surrounding the new agreement will be much clearer at the appropriate time.
The stakes are high, indeed, in case the agreement will not survive the scrutiny of the CJEU legal uncertainty will persist and future economic losses for the digital economy of the EU and the US will increase. Accordingly, to forecasts of DIGITALEUROPE by 2030 if a stable agreement that enables lawful and consistent data transfer is not assured the European Union economy could lose €1.3 trillion in cumulative economic growth by 2030, €116 billion in annual exports and 1.3 million job losses, primarily high-skilled professions. On the other hand, if a stable mechanism of data transfer will be assured the EU economy would gain €720 billion in cumulative extra growth by 2030, equivalent to an increase of 0.6% in GDP on a yearly basis, €60 billion in annual exports, of which half coming from the manufacturing sector, boosting the position of European SMEs and 700 thousand new jobs will be created. Therefore, it is critical that the text of the new agreement will include proper safeguards as requested by the CJEU in Schrems II in order to ensure a long-standing Transatlantic Data Flow Agreement, on which the European data economy may foster, as well as, the protection of the rights of europeans being guaranteed in the years ahead.