This week, U.S. President Joe Biden is expected to sign an executive order cementing the legal basis for the Trans-Atlantic Data Privacy Framework, aka “Privacy Shield 2.0.” The executive order will likely create a redress mechanism, which will allow European individuals to challenge — or at least gain a modicum of insight into — surveillance practices by U.S. national security agencies.
On a smaller scale but in the same vein, the government of Israel issued a draft decision Monday, announcing Israel’s Privacy Protection Authority will be “independent in applying the powers vested in the head of the PPA under the law.” This was meant to satisfy the requirements of the European Commission, which is currently reassessing Israel’s 2011 adequacy decision.
Both of these decisions are motivated by the U.S. and Israel governments’ interest to convince the Commission — which in turn tries to satisfy the Court of Justice of the European Union — that their laws are “essentially equivalent” to EU law.
In so doing, U.S. and Israel participate in a form of data transfer theater. They dance to the tune of the European Commission to eliminate a trade inconvenience, even as it is questionable whether EU member states themselves comply with the standards set by the CJEU.
Indeed, it will be interesting to see whether the U.S. government requests reciprocity for its concessions, imposing similar proportionality and redress requirements on national security agencies in EU member states. And while Israel certainly won’t point to EU shortcomings, it’s an open secret that many European DPAs do not have complete independence. Some are appointed through a highly politicized process, managed by national or local party chiefs, while others are funded or staffed through a government process.
It’s no coincidence that in both cases, the governments of the U.S. and Israel will act through administrative powers and not legislative amendments. Different democratic countries have different constitutional and administrative frameworks, which don’t always fully align with the EU’s. For example, the U.S. Constitution places significant restrictions on the creation of and standing before Article III courts. Hence, the new executive order will likely establish a “quasi-judicial body” to adjudicate European complaints, as opposed to offering statutory judicial review. Similarly, in Israel, the powers of administrative and law enforcement agencies such as the Privacy Protection Authority are set forth in the law. This week’s decision about PPA independence is a government declaration, unaccompanied by any legislative amendment.
A decade ago, when Israel negotiated its EU adequacy standard, the question of PPA independence already arose. At the time, the European Commission accepted the Israeli argument that while the PPA is part of the Ministry of Justice, it is essentially independent. As an administrative agency, the PPA isn’t subject to the discretion of political officials, such as the prime minister or justice minister. While it is subject to the authority of Israel’s attorney general, that office itself is highly independent under Israeli law. Consider the fact that over the past decade, Israel’s attorneys general indicted on criminal charges a sitting prime minister, president, justice minister and more. Israel’s argument at the time was that its constitutional and administrative system can accommodate an agency that is either fully independent or with strong enforcement powers, but not both. In other words, under Israeli law, fully independent authorities typically lack enforcement powers while strong enforcement agencies are part of the executive branch.
What amounts to complete independence for DPAs around the world is a complicated mix of substantive and procedural factors. To be sure, independent privacy commissioners aren’t influenced by political officials with respect to issues under their jurisdiction. But independence also extends to rules about appointment, termination and funding. Are DPAs appointed by a political process? Could they be terminated without cause? And who is responsible for budgeting the agency? In Israel, for example, the DPA might fare better as part of the Ministry of Justice budgeting process than having to fend for itself in the Knesset (Parliament) budgetary season.
At the end of the day, does the EU adequacy mechanism improve global data protection?
On one hand, the adequacy mechanism exported features of the EU General Data Protection Regulation all over the world, a positive outcome for businesses and individuals. On the other hand, it has also led to perverse results. For example, California privacy advocates have recently advanced the state’s quest for EU adequacy status at the cost of undermining federal privacy law in the U.S. The California adequacy argument rings hollow: the California Consumer Privacy Act doesn’t even apply to European’s personal data; it protects strictly California residents. And California remains subject to the same national security agency powers as the rest of the U.S. Despite that, California “adequacy” has become a de facto impediment to the passage of U.S. privacy legislation.
This week will prove pivotal to adequacy arrangements in the U.S. and Israel. Whether these determinations hold up to legal challenges — not only in the EU but also in the U.S. and Israel — remains to be seen.