While a final resolution is near, there's been more wait-and-see periods than action during negotiations for the EU-U.S. Data Privacy Framework.

First it was months of waiting in between the provisional EU-U.S. agreement on data transfers and the executive order securing U.S. national security commitments. Now concerned parties are set to stand by another six months at least while the European Commission works through a potential adequacy decision.

Privacy professionals stood mostly idle through the extensive dialogues and deliberations as a majority of their previous EU-U.S. Privacy Shield obligations went unchanged in the proposed replacement framework. The lulls in talks led to more reflection and consideration of whether the new agreement would check the boxes that past transatlantic data flow deals could not.

A range of conversations at the IAPP European Data Protection Congress 2022 with relevant officials and stakeholders shed light on much-discussed aspects of the proposed DPF and whether the potential framework may eventually fall back under the Court of Justice of the European Union's microscope.

Draft adequacy decision top of mind

The European Commission's adequacy determination is underway and remains on schedule to be completed by spring 2023, according to video remarks at DPC 2022 from European Commissioner for Justice Didier Reynders. While noting it was "difficult to give a precise timeline," Reynders didn't refute the the potential for a six-month process similar to prior EU adequacy decisions. 

"This involves obtaining an opinion from the European Data Protection Board and a positive vote from (EU) member states. A draft adequacy decision is also subject to the scrutiny of the European Parliament," Reynders said. "Once this process is completed, the Commission will be able to adopt the final adequacy decision. From that moment on, companies will be able to rely on it to transfer data to the U.S. once in place."

European Data Protection Board Chair Andrea Jelinek declined to comment on her and the board's initial analysis of the proposed DPF, indicating the board's position will be reflected in its submission to the adequacy process when the time comes. However, she did take time to stress the importance of adequacy decisions in the context of global harmonization and "how to come to a common point of view."

"I've never negotiated adequacy decisions. But, as I know from my international work, you negotiate with people sometimes with a completely different cultural background," Jelinek said. "You start to understand the way of thinking even more and better. … So the decisions are also an opportunity to come closer in data protection and other fields, but also with these ethical and moral backgrounds."

Necessity and proportionality

At the crux of U.S. commitments and changes as part of the proposed DPF is an overhaul of necessity and proportionality within national security and foreign surveillance programs. The U.S. executive order shores up the CJEU concerns by instituting new safeguards focused on purpose limitation and necessity that U.S. national security entities must add to their policies and procedures.

When the executive order dropped in October, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, explained how necessity and proportionality were "long perceived as EU-centric terms tied to long histories of CJEU and European Court of Human Rights jurisprudence" and the U.S.'s move to finally acknowledge the EU's view "is a clear shift that could place the EU and the U.S. on the same side of the table in future multilateral negotiations on privacy and surveillance."

The philosophical shift is not lost on U.S. Privacy and Civil Liberties Oversight Board Chair Sharon Bradford Franklin, whose office will take on reviews of necessity and proportionality in relevant agencies' policies and procedures under the executive order. Franklin spoke about the U.S. "joining the rest of the world and the international community in recognizing" the legal constructs around necessity and proportionality.

"They're not alien concepts even though that's not the terminology U.S. intelligence agencies typically use," Franklin said. "Thinking about things being necessary, that's a term that crops up. On proportionality, the intelligence community thinks more in terms of 'least intrusive means.' … As the agencies train their personnel on incorporating these protections, I just don't see it being so unfamiliar."

NOYB Honorary Chairman Max Schrems, who has twice succeeded in challenging and invalidating EU-U.S. data transfer agreements, isn't sold on the matching terminology. Schrems said use of "proportionality" under the replaced U.S. Presidential Policy Directive 28 concerning signals intelligence activities didn't satisfy the CJEU previously. His analysis of the proposed DPF suggests the proportionality definition hasn't changed and the CJEU will not turn a blind eye with the inevitable third challenge Schrems plans to bring.

"It's very political and diplomatic. (The two sides) agree that they weren't using the word … but then both say we have a different view and just walk away so on both sides of the Atlantic they can say 'we won the fight,'" Schrems said. "But we actually didn't win and I think that is a bit of a problem that we have on the material side."

For Hogan Lovells Partner Eduardo Ustaran, CIPP/E, equivalent proportionality standards rely less on a word-for-word match and more toward meeting data minimization principles laid out in the EU General Data Protection Regulation. He said CJEU justices will focus more on whether "the obligations that are, to an extent, binding on the intelligence community will work to make agencies implement that data minimization standard."

Redress court legitimacy

Schrems made a case against formal recognition of the U.S. Department of Justice's Data Protection Review Court, one of the two components to the redress mechanism set up by the U.S. executive order. He opined the proposed DPRC couldn't be formally recognized as a legitimate court under the U.S. Constitution, but also that its judge appointments do not meet the standards for a legitimate court laid out under Article 47 of the EU Charter of Fundamental Rights.

Determinations of legitimacy will ultimately be left to the EU adequacy decision and a potential CJEU claim. Microsoft Corporate Vice President and CPO and former U.S. Federal Trade Commissioner Julie Brill leaned into the necessary creativity from EU and U.S. negotiators. She described the many rules and legal hurdles privacy cases face through the U.S. federal court system, concluding the proposed redress court would generate better results.

"Frankly, it's a very, very effective solution to deal with this problem," Brill said. "Individuals who file a complaint … do not have to show injury. In fact, they can say I think my data was inappropriately accessed and I want to have a review of that. But they don't have to show that financial harm or other kinds of harm."

Constitutionality of the proposed DPRC gets much of the attention, but Schrems' Article 47 claim would be a key point of contention in any CJEU challenge to come. Ustaran said a deeper analysis of the definition of the redress court's makeup against with language used under Article 47 is key.

"I believe Article 47 uses the words impartial, independent and tribunal. So the question is whether this system amounts to a tribunal," Ustaran said. "It's a complex legal question. There are all kinds of bodies out there, including some data protection authorities, that act as a tribunal because they are structured in a way that they have impartiality with people from different walks of life. The fundamental thing for me is whether the decisions made by the court in this process are sufficiently impartial."