Privacy & Information Security Law Blog

On December 12, 2022, at the “POLITICO Live” event presented in cooperation with Hunton Andrews Kurth LLP’s Centre for Information Policy Leadership ("CIPL")—titled “EU-U.S. Data Flows: Game Changer or More Legal Uncertainty?”—featured speakers from both sides of the Atlantic optimistic that the new EU-U.S. Data Privacy Framework will withstand an anticipated legal challenge.

The event discussed the importance of President Biden’s October 7 Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ("EO") and the forthcoming European Commission’s preliminary adequacy decision, expected to be released later this week. The EO seeks to address the concerns raised by the Court of Justice of the European Union ("CJEU") in the Schrems II judgment that invalidated the EU-U.S. Privacy Shield framework.

In her opening remarks, CIPL president Bojana Bellamy called the new data flows framework a “game changer” because it (1) articulates new limitations on, and parameters for, government surveillance, in line with the EU’s concepts of “necessity” and “proportionality;” (2) creates a multi-layered, independent and binding redress mechanism; (3) satisfies the requirements of both EU law (as articulated by the CJEU) and U.S. law; and (4) allows the U.S. to make its own determinations on which countries qualify for purposes of permitting use of the redress mechanism.

Bellamy also stressed that the deal is part of a global trend that recognizes the need for consistency and reliability of data transfer mechanisms, as evidenced by the OECD’s soon-to-be-adopted Declaration on Government Access to Personal Data Held by Private Sector Entities.

Following Bellamy’s comments, Politico conducted a one-on-one interview with Didier Reynders, European Commissioner for Justice. Reynders stated that he was “quite confident” that the CJEU will uphold the new framework, and ranked the likelihood of success at 70-80%. Moreover, he challenged anyone criticizing the new framework to test it out first.

In the panel discussion that followed, key players from the negotiated deal and a subject matter expert from academia exchanged views on the details of the agreement and on points of criticism that have been raised. Panel members included Bruno Gencarelli, who heads the International Data Flows and Protection Unit at the European Commission, Alex Greenstein, Director of the Privacy Shield, and Professor Alex Joel of American University’s Washington College of Law.

In particular, Gencarelli stressed that “necessity” and “proportionality” are internationally familiar concepts not exclusive to the European Union. Thus, he explained, the EO’s inclusion of such concepts is not alien to U.S. jurisprudence.

Greenstein echoed those comments, further stating that the new deal was crafted in response to the detailed guidance given by the CJEU in Schrems II and therefore addresses the issues found lacking in the Privacy Shield.

In response to criticism that the new framework does not curtail bulk surveillance, Joel clarified that the European Court of Human Rights has recognized that intelligence agencies must at times engage in bulk surveillance. Schrems II was not so much concerned with bulk surveillance per se, said Joel, but rather with the circumstances of the bulk collection and the protections and safeguards surrounding that practice. The EO addresses those concerns by restricting bulk surveillance to situations where the information “cannot reasonably be obtained by targeted collection.”

Joel thought there was a very high chance of the deal surviving a legal challenge, provided the court focuses on the principle of “essential equivalence” and recognizes the limitations on judicial redress placed by the U.S. Constitution.

All panelists viewed the impending OECD Declaration on Government Access to Personal Data as a step towards building trust in international data flows, as envisioned by Japan with the “Data Free Flow with Trust” initiative. The panelists discussed further trends towards international convergence, such as the Global Cross-Border Privacy Rules initiative and the recognition of Standard Contractual Clauses across jurisdictions. A poll of Politico’s audience members reflected confidence in the new framework, with nearly 80% of poll respondents indicating that they will rely on the new framework, whether or not they think it will be upheld by the CJEU.