[co-author: Jan-Luca Jorzyk]*

Since the European Court of Justice (ECJ) declared the “Safe Harbour” agreement—which had permitted U.S. companies to comply with EU restrictions on the transfer of personal data outside the EU—invalid in October 2015, transatlantic data traffic has been fraught with significant hurdles and uncertainties. With virtually all European companies relying on data processing by U.S. service providers, the demand for a legally secure and sustainable agreement between the EU and the United States is omnipresent. American parent companies in particular hope that data transfers to the United States will be simplified in the future. The latest hope is the "Trans-Atlantic Data Privacy Framework" (TADPF), which is intended to limit access by U.S. intelligence services and guarantee the protection of EU citizens’ personal data. The promising Executive Order 14086 issued by U.S. President Joe Biden on October 7, 2022 is supposed to provide new guarantees for this protection. It is highly questionable, however, whether this order will provide the U.S. with the "equivalent protection in substance" required by the ECJ.

On May 11, 2023, the EU Parliament submitted a resolution proposal in which it criticizes the efforts made by the United States to date. Specifically, the rights of EU citizens with regard to the processing of their personal data by U.S. companies are still not equal to the rights afforded to U.S. citizens. There are still no effective legal remedies for EU citizens, and there remains a lack of transparency with regard to the relevant data protection regulations.

Background: The GDPR in international data transfers

While the General Data Protection Regulation (GDPR) provides a high level of protection for personal data in the EU, this level of protection can be undermined in the case of data transfers to, or remote access from, third countries (i.e., countries outside the EU or European Economic Area). The reason is that different national laws and international obligations apply in the third country, which cannot be reconciled with the provisions of the GDPR, and therefore result in a lower level of protection. In the United States in particular, the authorities have extended access rights to data. As a consequence, a company might have to disclose personal data, even though this is prohibited under the GDPR. Against this backdrop, the GDPR requires that international data transfers meet additional requirements (Art. 44 GDPR et seq.).

For individual countries, the EU Commission has assessed the level of protection in that country and concluded that it is equivalent to the level of protection in the EU. In such cases, a so-called "adequacy decision" (Art. 45 GDPR) has been issued, based on which personal data can be transferred in a simplified manner. A list of these third countries can be found here – the USA is not included.

The failed: “Safe Harbour” and “EU Data Privacy Shield”

Although there have been two agreements in the past that were intended to simplify data transfers to the United States, both were declared invalid by the ECJ: First, in October 2015, the ECJ declared the "Safe Harbour" agreement ineffective (judgment of 6 October 2015, Case C-362/14 "Schrems I"), and in July 2020, its successor, the "EU Data Privacy Shield" (judgment of 16 July 2020, Case C-311/18 "Schrems II"), met the same fate. The ECJ's main reasoning was that the agreements did not provide sufficient legal protection against surveillance of EU citizens by U.S. authorities and therefore did not sufficiently protect the fundamental rights of the EU citizens concerned. Against this background, on May 20, 2021, the EU Parliament called on the European Commission not to adopt a new adequacy decision for the United States unless it would create an adequate legal framework.

Current developments – the EU Parliament speaks plainly

Following a joint meeting on March 25, 2022, EU Commission President von der Leyen and U.S. President Biden announced that work is in progress and that a new EU-U.S. agreement is being drafted – the TADPF. On October 7 2022, Biden signed Executive Order 14086, which introduced safeguards and established a body for EU citizens to submit complaints. The EU Commission then initiated the procedure to adopt an adequacy decision for the United States on December 13, 2022.

Hopes for a timely adoption of the TADPF, however, have dimmed: The EU Parliament criticized the draft on May 11, 2023, signaling that its adoption – and with it the simplified transfer of data to the United States – is likely to be pushed back further. In its resolution proposal, the EU Parliament clarified that Executive Order 14086 partly contains "significant commitments." At the same time, however, it noted that sufficient guarantees had not yet been put in place to ensure a "substantially equivalent level of protection" for EU citizens from the U.S. authorities. The EU Parliament therefore considered Executive Order 14086 to be insufficient:

• The EU Parliament welcomed the new possibility for EU citizens to challenge the processing of their data by U.S. authorities in a Data Protection Review Court. At the same time, it criticized the fact that this court and the corresponding procedures do not meet constitutional requirements: The court is part of the executive body, and its judges are appointed for only four years. Above all, the U.S. president can dismiss judges at any time and overrule the court's decisions – even in secret. The independence of the judges is therefore not guaranteed. In addition, the court may at any time classify decisions as secret and thus deny access to applicants. Finally, no claim for monetary can be filed before the court.

• The EU Parliament also argued that the ban on U.S. authorities’ collecting mass data on U.S. citizens living in the U.S. still does not apply to EU citizens. Such mass government surveillance is unlawful and undermines the trust of EU citizens and European businesses in the digital economy.

• On the positive side, the EU Parliament underlined that the European principle of proportionality has now found its way into the assessment of the permissibility of data processing by the U.S. authorities through Executive Order 14086. Nevertheless, the principle of proportionality contained therein is not comparable to that of the EU and is interpreted exclusively in light of U.S. law – not EU law.

• Another problem identified by the EU Parliament is that the U.S. president can amend the executive order at any time. This applies in particular to the list of purposes for which personal data may or may not be processed by the U.S. authorities. Associated with this is a significant lack of clarity and predictability in existing data protection standards, as the U.S. president thus has the power to create new legal grounds for data processing. Moreover, the EU does not even need to be informed of such presidential changes.

• Finally, the EU Parliament underlines that the United States – unlike all third countries for which an adequacy decision has been issued – does not have a federal data protection law.

The EU Parliament hopes for adjustments – so do we!

Although the EU Commission is not dependent on the approval of the EU Parliament, and acting rather quickly would speed the process up, the joy over the new agreement could be short-lived if the ECJ puts a stop to it once again. That said, one can only hope that the EU Commission will enter into further negotiations with the United States and take adequate steps to address the concerns expressed by the EU Parliament. Only this way will a legal framework that guarantees legally secure data transfers to the United States be established. Until then, data transfers to the United States will require additional safeguards, and companies will continue to be forced to rely on standard contractual clauses (SCCs) or, within a group, binding corporate rules. For more information on SCCs and Intra Group Data Transfer Agreements (IGDTA), see our Insight from last year.

*Jan-Luca Jorzyk is a law trainee at vangard | Littler