The two-month-old European Union-U.S. Data Privacy Framework (EU-U.S. DPF) recently overcame its first legal challenge after French parliament member Philippe Latombe filed two suits against it. Latombe’s legal actions attempted to suspend the agreement and disrupt transatlantic data flows immediately. He believes the agreement violates the EU’s Charter of Fundamental Rights, as it “insufficiently guarantees respect for private and family life.” The General Court of the European Union rejected this argument, issuing an interim ruling that Latombe failed to demonstrate he would suffer serious harm if the EU-U.S. DPF was not suspended. Even though the agreement withstood its first legal test, future challenges still loom. Privacy advocates like Austrian national Max Schrems have already sounded the alarm, stating they will also challenge the new framework because it is “largely a copy of the failed ‘Privacy Shield.’”

Legal challenges to transferring European subjects’ data to the United States is an endless saga that reveals vast differences in data privacy expectations between the two economic world powers. The EU and United States’ integrated economic relationship—with trade flows worth 7.1 trillion dollars—is vitally important to global trade flows and helps define the shape of the global economy. Any disruption to these agreements will negatively impact small and medium-sized businesses, which comprise 70 percent of the companies that used the Privacy Shield framework. However, for the past two decades, the extensive bilateral trade and investment and trade relations between the EU and the United States have experienced legal uncertainty after several EU court decisions torpedoed their adopted data transfer agreements, citing a lack of data protection in the United States. This legal uncertainty can also impact consumers by forcing companies to localize their data or limit their service offerings.

It took 18 months of negotiation to get the EU-U.S. DPF solidified to resolve businesses’ murkiness when transferring EU data to the United States. In July 2023, after evaluating the agreement, the European Commission (EC) adopted an “adequacy decision” that concluded it offers adequate protection for EU data transferred by U.S. businesses implementing the framework. Once again, data could freely flow from the EU to the United States.  

The EU-U.S. DPF is crucial in continuing the economic relationship between the two. A disruption to the agreement could impact U.S. banks’ lending, flight itineraries, hotel reservations, and medical and technological research. The Achilles’ heel of previous data flow agreements is the difference in each country’s approach to data privacy rights. Because privacy is not enumerated in the U.S. Constitution, the country operates without a comprehensive data privacy and security law. Instead, it depends on a patchwork of comprehensive state laws, sectoral legislation and regulations. In contrast, the EU recognizes privacy as a fundamental human right and relies on a comprehensive privacy law—the General Data Protection Regulation.

How the New Transatlantic Framework Operates

Like the now-defunct Privacy Shield, the EU-U.S. DPF is a self-certification program in which participants commit to complying with certain principles (the same in both frameworks). The core issue that doomed prior trade agreements was the perception that U.S. intelligence agencies did not adhere to proportionality principles when accessing or using EU data. According to EU courts, there were no binding redressability mechanisms for EU data subjects when principle framework violations occurred. President Joe Biden’s Executive Order 14086 (EO 14086) attempted to address these issues. The EO created enhanced safeguards for U.S. intelligence agencies including strong oversight, legitimate and clear objectives, adherence to proportionality principles and a binding redress mechanism for EU data subjects via the Data Protection Review Court (DPRC).

A significant hurdle to overcoming EU court decisions was the absence of an independent mechanism for EU data subjects to address privacy violations by U.S. intelligence agencies. To remedy this, the DPRC was established within the U.S. Department of Justice. Six or more judges will be appointed by the attorney general (AG) to renewable four-year terms. Significantly, the judges will not be supervised or subject to dismissal by the AG; instead, they will be independent from U.S. government to ensure impartial complaint reviews. First, the civil liberties protection officer in the Office of the Director of National Intelligence will investigate and review complaints to determine if a violation has occurred. Complainants and members of the intelligence community can then appeal that decision to the DPRC to ensure it was legally correct and supported by substantial evidence.

EU data subjects can also levy complaints against U.S. businesses that fail to adhere to the framework’s binding principles. While the EU-U.S. DPF is a voluntary program, adherence to the framework becomes legally binding once a business self-certifies. The International Trade Administration will administer the program within the U.S. Department of Commerce, working with the Federal Trade Commission and other statutory bodies to ensure compliance with stated principles and to facilitate and investigate complaints from EU data subjects.  

How this framework’s reworked redressability mechanisms will withstand the inevitable future litigation levied against it is largely unknown. We must be prepared for the rough roads that are likely ahead.

This is part of the series Transatlantic Data Flow Chronicles: Unveiling Past and Current Data Diplomacy.