The future of EU-US data transfers and its impact on MarTech

Joe Biden’s Executive Order aims to make room for the EU-US Data Privacy Framework by addressing two primary concerns in the Schrems II court case (which famously ruined the Privacy Shield program that many US-based SaaS or consumer internet companies adhered to): 

• Legal redress for EU citizens, by appointing a Civil Liberties Protection Officer that will hear complaints in first instance prior to allowing appeals to a new Data Protection Review Court
• Incorporation of principles of necessity and proportionality of the US government surveillance apparatus, by stating that “signals intelligence” may only occur for certain listed objectives

As expected, Max Schrems (of CJEU fame) was quick to point out that neither of those would suffice. 

At the core of his arguments: The US Fourth Amendment keeps making a distinction between US citizens and aliens when shielding people from government-sponsored surveillance (whereas EU law considers privacy a “fundamental human right” regardless of nationality).

As a consequence, when it comes to the solutions provided by the Joe Biden’s Executive Order and Department of Justice Regulations:

• Bulk collection of signals intelligence is still allowed, so the idea of proportionality “seems to have been lost in translation”
• The new court is not a real court (both the CLPO and DPRC report to the Director of National Intelligence), and EU nationals will not obtain substantive information about any findings following a complaint – so it would not satisfy the legal redress requirement. 

The best hope for the Data Privacy Framework’s success seems to lie now in the upcoming renewal of Section 702 FISA (Foreign Intelligence Surveillance Act) – a key piece of the puzzle, allowing US spies to freely collect data pertaining to non-US citizens.

No matter what, the Brussels hallways will take months to digest the Data Privacy Framework, and then all EU capitals will take their turn.

If we had to find an immediate positive impact, Transfer Impact/Risk Assessments tied to the use of Standard Contract Clauses (an alternative personal data transfer vehicle severely wounded by the Schrems II decision) are likely to require a lower bar. The same could be said of “supplementary measures” equally required in the use of SCCs (these being dependent on the specific risks associated with surveillance practices in place at the country of destination). Most US-based Marketing Technology solutions have been relying on this instrument for the past few months.

(Photo by Ximena Pineda on Unsplash)