The future of EU-US data transfers and its impact on MarTech

Joe Biden’s Executive Order aims to make room for the EU-US Data Privacy Framework (Privacy Shield 2.0) by addressing two primary concerns in the Schrems II court case (which famously ruined the Privacy Shield program that many US-based SaaS or consumer internet companies adhered to):

• Legal redress for EU citizens, by appointing a Civil Liberties Protection Officer that will hear complaints in first instance prior to allowing appeals to a new Data Protection Review Court
• Incorporation of principles of necessity and proportionality of the US government surveillance apparatus, by stating that “signals intelligence” may only occur for certain listed objectives

As expected, Max Schrems (of CJEU fame) was quick to point out that neither of those would suffice.

At the core of his arguments: The US Fourth Amendment keeps making a distinction between US citizens and aliens when shielding people from government-sponsored surveillance (whereas EU law considers privacy a “fundamental human right” regardless of nationality).

As a consequence, when it comes to the solutions provided by the Joe Biden’s Executive Order and Department of Justice Regulations:

• Bulk collection of signals intelligence is still allowed, so the idea of proportionality seems to have been lost in translation
• The new court is not a real court (both the CLPO and DPRC report to the Director of National Intelligence), and EU nationals will not obtain substantive information about any findings following a complaint and so it would not satisfy the legal redress requirement.

The best hope for the Data Privacy Framework’s success seems to lie now in the upcoming renewal of Section 702 FISA (Foreign Intelligence Surveillance Act) – a key piece of the puzzle, allowing US spies to freely collect data pertaining to non-US citizens. The US Congress has a shot at curtailing it reach in January 2023.

No matter what, the Brussels hallways will take months to digest the Data Privacy Framework, and then all EU capitals will take their turn, so even if it ends up obtaining a green light from the EU Commission (subsequently challenged by a Schrems III or not), businesses using US-based MarTech or AdTech SaaS (or, rather, their DPOs) will continue to swim in choppy waters.

If we had to find an immediate positive impact, Transfer Impact Assessments tied to the use of Standard Contract Clauses (an alternative personal data transfer vehicle severely wounded by the same bullet that killed the Privacy Shield: Schrems II) are likely to require a lower bar, in light of the diminished risks resulting from this Executive Order and DoJ Regulations. The same could be said of “supplementary measures” equally required in the use of SCCs (these being dependent on the specific risks associated with surveillance practices in place at the country of destination).

As a result, US-based MarTech SaaS may have to wait many months before they can rely on a Privacy Shield 2.0, but those who can afford larger regulatory compliance teams may have found a way to cling on to their existing customers.

Original publication Sergio Maldonado on 01/12/22, available on Privacy Cloud

(Photo by Ximena Pineda on Unsplash)

‍