View from Brussels: Privacy for privacy’s sake

US President Joe Biden’s decision to sign an executive order on transatlantic data flows marked a significant leap forward in what has been a very complex and divisive issue for Brussels and Washington.

In 2015, the Safe Harbor Privacy Principles were declared invalid by the European Court of Justice (ECJ) in a case involving Facebook data. Its successor, the Privacy Shield, was set up in 2016 but was again struck down by the court in 2020.

Earlier this year, the EU and Biden’s administration agreed to work together on the Trans-Atlantic Data Privacy Framework. The president’s executive order makes good on a number of the promises made under the initial agreement.

For example, it creates a data protection review court within the Department of Justice. This will enable EU citizens to file legal complaints if they feel that their data has been improperly collected or misused.

In addition, Biden’s order will instruct the US intelligence agencies only to collect data that is necessary. How this is interpreted in practice is another matter but it goes some way to assuaging EU concerns.

Perhaps most notably though, the US will now be able to assess how EU-based intelligence agencies use data. Washington has long complained that its safeguards are scrutinised more heavily by Brussels than those of the EU’s own member states.

The European Commission now has to confirm Biden’s executive order and secure special status from the US attorney-general, so that the new framework can take effect. 

Top justice official Didier Reynders told Politico that he is confident that the new rules can survive legal scrutiny and that there is a lot of work ahead in order to settle on a final agreement that does not again fall foul of the ECJ.

Max Schrems, a data privacy activist who was the main architect of the Privacy Shield’s downfall, is still to decide whether to take up legal arms once again but has already said that the lack of change of bulk surveillance principles means it should go back to court.

The Commission is only expected to finalise everything in March 2023, which means that companies dealing in transatlantic data – such as Facebook – can continue their operations using the pending decision as a legal shield.

GDPR teeth

However, the effectiveness of GDPR may yet suffer after a top legal adviser at the European Court of Justice cast doubt on whether victims of improper data use should be eligible for compensation.

An ongoing legal case between Austria’s postal service and a plaintiff that alleges their data was misused has been referred up to the ECJ after two courts dismissed the action.

In the case, the plaintiff says that Austria’s postal service used their data to determine their political party allegiance and targeted him with election adverts based on those calculations. He is seeking €1,000 in compensation for “non-material damage or inner discomfort”.

According to an advocate-general’s opinion on the case published at the beginning of October, the plaintiff’s unease with how their data has been used may not be sufficient to qualify for compensatory measures.

The AG says that extra non-material damages may have to be demonstrated in order for the case to yield that kind of outcome.

Suzanna Vergnolle, an associate professor in technology law, says that this might contradict civil-liability principles in some countries, most notably France.

“Overall, I am disappointed with this opinion and I believe it might put in peril a lot of potential actions,” she warns, adding that non-material damages are hard to prove, especially from a legal standpoint.

The opinion, which is not binding but does inform heavily the ruling that judges will issue later on, also suggests that awarding damages might encourage people to go to court instead of lodging complaints with data supervisory bodies.

It seems like a strange interpretation of GDPR’s principles, which are basically designed to prevent companies from abusing the data they collect. Removing the compensatory element of complaints would seriously water down the preventative nature of the regulation.

The ECJ has played a defining role in how Europe handles and regulates data and this appears to be yet another chapter in that story.