Technology | EU-US Data Privacy Framework: Latest developments
What is the EU-US Data Privacy Framework?
The draft adequacy decision on the Framework is intended as a legal basis for ensuring lawful transfers of personal data between EU and US entities. Under the GDPR, transfer of personal data to third countries (outside the EEA) is prohibited, unless the transfer is subject to safeguards ensuring an adequate level of protection for the personal data transferred. One such safeguard is the presence of an adequacy decision issued by the Commission. Such a decision can be granted to a third country if it provides guarantees that is essentially equivalent to those offered within the EEA.
Previously, EU-US transfers were enabled through the adequacy decision on the Privacy Shield, and its predecessor called the Safe Harbor Principles. However, both frameworks were invalidated by the Court of Justice of the European Union after lawsuits initiated by the Austrian privacy activist Max Schrems. Both invalidations were primarily due to the existence of US surveillance laws that granted the US government disproportionate rights to access personal data. As a result, the level of protection for personal data in the US was not deemed equivalent to that provided within the EEA.
Due to the economic impact of impeding data flows between the EU and US, finding a swift replacement for the Privacy Shield has become a top priority. Consequently, EU and US authorities have been collaborating to establish common ground as a basis for a new adequacy decision.
The GDPR sets out specific criteria that a country must meet for the Commission to grant it an adequacy decision. The US will need to ensure effective independent data protection supervision and a cooperation mechanism with the EU needs to be established. Most importantly, data subjects must have effective and enforceable rights and effective administrative and judicial redress.
US authorities have attempted to meet these criteria. On 7 October 2022, President Biden signed an Executive Order (EO 14086) directing the steps to be taken by the US to implement its commitments under the new Framework. Having regard to the steps to be taken by the US, the Commission published a draft of the adequacy decision in December, which recently received criticism by LIBE.
What is LIBE’s stance?
On 14 February, LIBE issued a resolution urging the Commission not to adopt an adequacy decision based on the new Framework. In LIBE’s opinion, the Framework fails to create “actual equivalence” with the level of data protection provided in the EEA. According to LIBE, there are discrepancies in the definitions of crucial concepts such as necessity and proportionality between EU data protection law and US law. The US government has declared in an Executive Order that it will be applying its own definitions of these terms to its surveillance laws. Furthermore, LIBE inter alia points out that the Executive Order does not prohibit so called bulk collection of data and does not apply to other means US’ public authorities have for collecting data – such as through the Cloud Act and Patriot Act. LIBE also points out several shortcomings of the proposed mechanism to supply redress, the Data Protection Review Court (“DPRC”). Most importantly, their decisions will not be made public or available to the complainant, the DRCC will be part of the executive branch and not the judiciary, and there will be no mechanism for appeal. In sum, LIBE’s opinion is that the DRCC will not meet the standards of independence and impartiality required by EU standards.
The EDPB’s opinion
The EDPB issued their opinion on 28 February. In its statement, the EPDB welcomes “substantial improvements” such as the introduction of requirements regarding principles of necessity and proportionality applicable to the gathering of data performed by US intelligence, as well as the new redress mechanism for EU data subjects. However, the EDPB also express some concerns and requests several clarifications. The EDPB particularly point out the data subject’s rights to access, rectification, erasure and objection, restrictions on onward transfers, scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism.
In relation to the adaptations made to US law through EO 14086, the EDPB welcomes the two new requirements that are introduced due to Schrems II: (i) That signals intelligence activities shall be conducted only as far as necessary to advance a validated intelligence priority collection and only to the extent and in a manner that is proportionate to the validated intelligence priority; and (ii) the redress mechanism for data subjects.
However, the EDPB points out that requirements in EO 14086 needs to be further implemented through policies and procedures for the different intelligence agencies, for them to have effect in daily operations. On this background, the EDPB’s recommendation is that the adoption and entry into force of the adequacy decision is made conditional that such policies and procedures are actually implemented by US authorities.
There are several procedural steps before an adequacy decision can be finalized by the Commission. The European Parliament will likely soon issue their opinion on the adequacy decision. Thereafter it will be presented for the EU member states for approval before the adequacy decision will be finalized. Approval requires the support of 15 EU member states representing a total of 65 % of EU citizens.
Following the publishing of the draft in December 2022, the Norwegian Data Protection Authority stated that the Commission would likely formally approve the adequacy decision in the first half of 2023, and that the Framework would enter into force upon the implementation of the relevant changes to US law. Even though LIBE’s resolution and EDPB’s opinion which, if taken into account by the Commission may lead to further amendments and negotiations, it is expected that a final decision will be made around August.
Efficient data flows are essential for economic growth of both the EU and the US. However, there has been significant debate over the past years about US mass surveillance and its impact on the fundamental rights of EU citizens. Against this backdrop, it is difficult to assess whether LIBE’s opinion will lead to new negotiations and work towards limiting US surveillance laws further, or if the political pressure on reaching an agreement quickly will prevail.
The Commission has a history of not adhering to LIBE’s opinions, which was what happened prior to the approval of the Privacy Shield Framework. However, this time the EU Parliament has called on the Commission not to adopt any new adequacy decision in relation to the US, unless meaningful reforms are introduced. Data protection authorities will likely also feel the need to apply pressure in order to ensure a robust framework, which inevitably also must withstand lawsuits from privacy activists.
Until an adequacy decision is in place, European businesses will still need to rely on other transfer mechanisms under the GDPR, such as Standard Contractual Clauses supported by transfer impact assessments. Even if an adequacy decision is passed, each relevant US company still needs to achieve certification under the new Framework before EU companies can rely on the Framework for lawful transfers.