Promises unkept: The EU-US Data Privacy Framework under fire

A decade after Snowden’s revelations — and despite the public outrage they sparked — surveillance and mass data collection continue under the EU-U.S. Data Privacy Framework (DPF), despite persistent privacy concerns. This shift reflects a reorientation of EU priorities toward economic and geopolitical interests, risking compromises on privacy and data protection.

By EDRi · November 20, 2024

EU appears willing to compromise on privacy according to Commission’s review of EU-US Data Privacy Framework

In 2013, former National Security Agency (NSA) contractor Edward Snowden revealed a massive surveillance operation conducted by the US government, centred around its NSA programs. These disclosures showed that the NSA had partnered with major tech companies and used advanced surveillance systems to collect and monitor vast amounts of data on both US and foreign citizens, often without probable cause or judicial oversight. This revelation sent shockwaves around the world, particularly in Europe, where privacy rights are theoretically highly valued and protected.

A decade on, however, little has fundamentally changed, with surveillance practices largely continuing as before. Despite the initial backlash, the EU appears to have settled into a stance of ‘business as usual,’ suggesting a level of comfort — or at least tolerance — for ongoing mass data collection when it comes to certain countries. A telling example is the European Commission’s recent one-year review of the EU-US Data Privacy Framework (DPF), which offered a positive assessment that downplays significant concerns about both state and commercial surveillance. These concerns, highlighted by a range of stakeholders, including the European Parliament, underscore critical issues with the DPF that remain unresolved.

While the Commission’s report aligns with its new mandate’s priorities of bolstering geopolitical and economic competitiveness, it risks prioritising these objectives over robust protection for fundamental rights. By glossing over the root problems that led to the annulment of previous agreements like Safe Harbor and Privacy Shield, the EU appears willing to compromise on privacy and individual freedoms to secure a smoother transatlantic data flow and reinforce its position in an increasingly competitive global landscape.

This approach reveals a growing tension within the EU’s own self-declared values: the need to protect people’s fundamental rights versus the economic and political pressures to maintain strong ties with the US in areas like trade, defence, and technology. By not adequately addressing the recurring concerns about unchecked surveillance practices, the EU runs the risk of establishing a precedent for other countries with which Adequacy status is granted or renewed. In these cases, data protection rights may increasingly be sidelined when they clash with the demands of global competition, political alliances, or even human rights considerations.

The EU’s Failure to Address the (Almost) Unlimited Reach of U.S. State Surveillance

The concerns surrounding state surveillance in the context of the DPF are both profound and troubling. The European Court of Justice (CJEU) ruled in Schrems I and Schrems II that US surveillance practices, particularly under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, violate the privacy rights of EU citizens. The crux of the issue lies in the fact that these laws allow broad data collection by US intelligence agencies, leaving EU data vulnerable to indiscriminate surveillance.

Despite the Commission’s attempt to assure citizens that the DPF offers a robust framework, the reality is that little has changed in US law since these pivotal rulings. The CJEU found that FISA 702 bulk surveillance was not ‘proportionate’ under Article 52 of the EU’s Charter of Fundamental Rights. The significance of this ruling cannot be overstated; it established a clear expectation that any surveillance must be limited, targeted, and justified.

A missed opportunity to rectify this failing arose when the war in Ukraine allegedly forced an acceleration in negotiations between the EU and the US. Following 1.5 years of stalled discussions, Joe Biden and Ursula von der Leyen announced a one-page agreement in March 2022 which, rather than addressing the deep-rooted surveillance issues, relied on terminological contortions to placate public concern. For example, while the CJEU had previously found that bulk surveillance was not proportionate, a new Executive Order introduced the term ‘proportionate’ without any substantive change in its application and in a manner that is disconnected from the CJEU’s interpretation. This wording game allowed both sides to claim victory while fundamentally misrepresenting the reality of the legal protections in place.

Moreover, the DPF does not adequately account for the nuances of US surveillance laws, which can operate in secrecy, often without judicial oversight. The CJEU’s insistence on the need for effective legal remedies for EU citizens who might be subject to US surveillance practices remains unaddressed. The DPF lacks robust mechanisms for individuals to challenge surveillance practices, a gap that could lead to significant violations of privacy rights. In this regard, the Commission’s review mentions the introduction of the Data Protection Review Court (DPRC) as a means of addressing grievances, but concerns about its independence and effectiveness loom large. This court is supposed to provide EU citizens with a forum to seek redress against violations of their privacy rights, yet it remains largely untested. With no cases having been resolved thus far, the DPRC risks becoming yet another ineffective body, echoing the shortcomings of its predecessors.

More worryingly, this context marks a missed opportunity for the EU to have adopted a stronger stance that could have driven meaningful reforms in US surveillance laws. Since 2020, the US has done little to curb the potential overreach of its intelligence services. The DPF remains inadequately reviewed, even as recent legislative changes unfold; furthermore, FISA Section 702 was extended despite a ‘sunset clause’ that usually paves the way for reform. With the new deal in place, the US has little motivation to enhance its surveillance framework, leaving privacy protections hanging in the balance.

Big Brother in Business: The DPF’s Insufficiencies Regarding Commercial Surveillance

While state surveillance poses a direct threat to individual privacy rights, commercial surveillance adds another layer of complexity. The DPF’s focus on transatlantic data transfers raises significant questions about how US companies process personal data, particularly regarding third-party data sharing for commercial purposes. It is also crucial to consider that US agencies purchase commercial data from digital marketing sources, as Byron Tau highlights in his compelling book Means of Control. The self-certification requirement for US companies under the DPF means that organisations can claim compliance without rigorous oversight or penalties for violations, creating a ‘Wild West’ environment for data processing.

The rise of digital marketing, targeted advertising, and extensive data analytics has transformed the way companies handle personal information. Users are often unaware of how their data are collected, processed, and sold, leaving them vulnerable to exploitation. The DPF fails to address the power imbalance between large tech companies and individual users, which can lead to significant privacy violations. For instance, companies might gather extensive data profiles based on tracking users’ online behaviours, preferences, and even their interactions on social media, creating a comprehensive digital identity that can be exploited for profit.

The Commission’s report -and a recent EDPB report– acknowledges the necessity for the US Department of Commerce to step up efforts in monitoring compliance with the DPF principles.
In a world where data has become a vital source of power, the absence of effective enforcement mechanisms for data protection creates serious vulnerabilities. Without clear and robust measures to ensure that data protection laws are upheld, individuals’ privacy rights are at risk of being violated, leaving personal information exposed to misuse and exploitation. A failure to implement stricter regulations on data handling practices means that companies can continue to operate with impunity, prioritising profit over people’s privacy.

Furthermore, the growing hype about Artificial Intelligence exacerbates the inadequacies of the DPF. AI systems and models, particularly in the case of Big Tech providers based in the US, often rely on vast datasets, which inevitably include sensitive information obtained through questionable means. This raises fundamental questions about consent and the processing of personal data. For instance, a data controller cannot claim not to process sensitive data if they collect it — even if they later filter it out for training purposes and argue that the data is (almost always imperfectly) anonymised. This highlights the need for robust safeguards against mass data collection practices even more, especially in light of US government surveillance programs.

The recent AP v. Uber case, in which the Dutch Data Protection Authority (DPA) fined Uber €290 million for failing to implement the necessary safeguards under Article 46 GDPR for transferring personal data to its parent company in the US, highlights critical concerns about transatlantic data transfers. Despite the DPF Framework being in place, the case underscores that organisations cannot rely solely on these frameworks and must ensure robust safeguards, such as Standard Contractual Clauses. The fine signals regulators’ growing willingness to scrutinise data transfers and enforces the GDPR’s emphasis on accountability, stressing that compliance is not a mere formality but a substantive commitment to protecting personal data.

This decision raises further questions about the adequacy of the DPF, particularly regarding the potential for US surveillance and access to data, continuing the debate around whether the framework can truly ensure EU-level protections for personal data. The case ultimately serves as a cautionary reminder that companies must actively implement and monitor safeguards, rather than relying on symbolic compliance, to avoid significant penalties.

Advocating for Rights over Economic Interests

When EDRi member noyb announced that they had filed complaints against X regarding the use of personal data for AI training, one of the central issues raised was what had happened to EU data that had already been used by the platform. We could have logically assumed that some of this data might already be subject to US mass surveillance, given that the company most likely cannot properly separate EU and non-EU data. This issue highlights some of the core insufficiencies of the DPF framework and its ability to provide meaningful protection for data subjects in the EU.

The EU’s endorsement of the DPF, highlighted in the recent Commission report, raises serious concerns about prioritising economic interests over fundamental rights. While the framework is touted as a solution for previous failings of the existing adequacy decisions, it fails to adequately address the critical issues identified in the Schrems I and II rulings. Without significant reform of US surveillance laws and a steadfast commitment from EU institutions to uphold GDPR standards, the DPF risks becoming another ineffective framework, vulnerable to legal challenges and potential invalidation by the CJEU.

Looking forward, we cannot afford to wait for a hypothetical Schrems III, even if many of us are eager for it. We must keep urging the European Commission to uphold GDPR principles, resisting any attempts to sidestep these standards for the sake of geopolitical alliances or economic competition. The future of data protection and privacy, along with the protection of various individual and collective rights intertwined with it, hinges on a unified effort to hold both EU and US authorities accountable. It is essential that the voices of individuals and civil society are meaningfully acknowledged and respected in the ongoing discourse on data protection.

In the coming months — especially after the new U.S. president takes office — we are likely to hear mounting calls for stronger transatlantic cooperation, framed as essential if the EU hopes to remain competitive against Chinese tech. Often, however, this rhetoric implies that the EU should compromise on its privacy standards. The stakes are high, indeed. As technology continues to advance, our commitment to safeguarding rights must remain steadfast, ensuring that fundamental rights are not sacrificed for economic gain. The time for change is now, and we must advocate for a future where data protection is not just an afterthought, but a critical value that is honoured and upheld.

Itxaso Domínguez de Olazábal (She/Her)

Policy Advisor

@itxasdo