Opinions aplenty on the European Commission’s draft adequacy decision regarding the EU-US Data Privacy Framework
The Question
How have the EU law-making institutions reacted to the draft adequacy decision regarding the EU-US Data Privacy Framework (DPF)?
The Key Takeaway
Key EU institutions have all expressed concerns over several elements of the DPF in terms of its compliance with key elements of the General Data Protection Regulation (GDPR). The DPF is still being negotiated between the EU Commission and the US.
The Background
Transfers of personal data between the EU and US were previously permitted under the Privacy Shield. However, following a legal challenge by privacy campaigner Max Schrems (Schrems II), the Privacy Shield was invalidated. In 2022, the European Commission and the US began to work on a replacement transfer framework and, at the end of last year, President Biden signed an Executive Order setting out the steps the US will take to meet its obligations under the DPF (see Winter 2022 Snapshot). Subsequently, the European Commission published its draft adequacy decision in December 2022.
The Development
Both the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) and the European Data Protection Board (EDPB) have published their opinions on the DPF, and the Members of the European Parliament (MEPs) have voted on whether to greenlight transfers of personal data under the DPF as currently drafted.
On 14 February 2023, the LIBE Committee outright rejected the DPF, concluding that it “fails to create actual equivalence in the level of protection [that the EU GDPR gives to data subjects]”. Its reasons for reaching this decision included the fact that: the DPF does not prohibit the bulk collection of data by intelligence agencies; the DPF does not apply to data accessed by public authorities through certain methods such as through commercial data purchases; the Executive Order can be amended at any time by the US President; and the decisions of the newly-created US Data Protection Review Court will not be made public.
The EDPB’s opinion, although slightly less critical of the DPF, commented that the DPF failed to comply with several of the key elements of the EU GDPR, such as the rights of data subjects to access a copy of their personal data and the right to object to their personal data being processed.
On 11 May 2023, MEPs voted in support of a text that echoes the opinions of the LIBE Committee and the EDPB and added that it was not yet possible to assess the impact of the DPF whilst the US Intelligence Committee is “still updating its practices”. The text ultimately held that “we are not there yet. There are still missing elements on judicial independence, transparency, access to justice, and remedies”.
It should, however, be noted that the opinions generally welcomed the progress made thus far, for instance restrictions on the ability of the US Government to access personal data, which had been a key factor in the Schrems II decision to invalidate the Privacy Shield.
Why is this important?
Following the success of the legal challenges made to the Privacy Shield, it is clear that the DPF is going to be critiqued, scrutinised and, in all likelihood, legally challenged. The basis of the adequacy decision system is that the non-EU country in question has essentially the same level of data protection measures in place as in the EU, where such measures are arguably the most stringent in the world. The opinions of the LIBE Committee, EDPB and MEPs highlight that considerable changes are likely still required for the DPF to be sufficiently on par with the EU GDPR to be able to withstand a legal challenge.
In mid-May 2023, EU and US representatives met to continue the discussion around the DPF. It will be interesting to follow how the DPF is addressed in light of the criticism it has so far received.
Any Practical Tips?
As noted in our Winter 2022 Snapshot, there remains considerable uncertainty in relation to the final format of the DPF, such that it is too early for organisations to know how and when they will be able to rely on it as an adequacy method. Until this uncertainty is resolved, organisations should continue to rely on existing methods of adequacy, such as the standard contractual clauses, when transferring personal data between the EU and the US.
Summer 2023
Stay connected and subscribe to our latest insights and views
Subscribe Here