The movement of electronic personal data between the US and the EU is not just a requirement for internet-based companies and social media platforms, but an essential part of daily operations for thousands of organisations. Many Irish companies are deeply dependent on the data transfers underpinning an EU-US trade relationship valued at $7.1 trillion. But transfers have been under serious threat since the Court of Justice of the European Union (CJEU) confirmed what critics had been saying for years: existing EU-US data transfer agreements were unfit for purpose. When data from the EU is sent to the US, the US fails to protect that data to the standard of the EU’s General Data Protection Regulation (GDPR) and other laws and essential rights.
Ireland has had a prominent role throughout. The two previous EU-US data transfer agreements, Safe Harbour and its replacement, the Privacy Shield, were declared invalid in successive cases brought against Facebook in Ireland (now Meta) by Austrian lawyer and activist Max Schrems. The CJEU indicated that the minimal restrictions under which US intelligence agencies operate create an unacceptable environment in which data transferred from the EU is deprived of protections guaranteed by the EU. The US’s indiscriminate bulk data collection, use of a secretive court, inadequate agency transparency and accountability, and lack of redress mechanisms, are contrary to EU law.
Since the second, 2020 Schrems decision, companies have continued to make transfers using alternative mechanisms such as standard contractual clauses. But, in a dramatic decision last summer, the Irish Data Protection Commission ruled that – based on the CJEU’s views – Facebook could no longer use such contracts and would have to cease transferring data. If Facebook cannot use them, neither by extension can anyone else, a looming trade catastrophe.
The DPC’s decision seemed to focus US minds. Last Friday, US president Joe Biden signed an executive order that makes significant changes to the way in which US intelligence agencies operate. The order also adds appeals and oversight mechanisms for EU citizens, but notably, not for Americans. Short term, the order should secure the new EU-US Data Privacy Framework (DPF) agreement for transatlantic transfers, announced last March (without details) by Biden and EU president Ursula von der Leyen.
But executive orders can be discarded by future presidents. And, the new DPF is likely to be challenged, and eventually adjudicated by the CJEU. Congress urgently needs to fix changes to intelligence operations in law and agree long-awaited federal data protection legislation, to give the DPF a chance for success, ease trade obstructions, and adequately protect the data of both EU and US citizens.