Current concerns regarding the EU-US Data Privacy Framework
On the 14th of February 2023, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (hereinafter: ‘Committee’) has determined that the proposed EU-US Data Privacy Framework should not be adopted in its current form. The European Data Protection Board (hereinafter: ‘EDPB’) came to a similar conclusion in their opinion from the 28th of February 2023.
This blog provides details on the latest developments regarding the EU-US Data Privacy Framework, whilst also taking a closer look at the lessons learned from previous transfer mechanisms and the way in which it has shaped the opinions of the Committee and EPDB.
Prior mechanisms
In the past, personal data was exchanged between the EU and US on the grounds of the EU-US Privacy Shield. This was a contract concluded between the EU and the US, covering the protection of personal data from European citizens in the US.
On the 16th of July 2020, the Court of Justice of the European Union (hereinafter: ‘CJEU’) concluded that the EU-US Privacy Shield was invalid, due to the fact that said mechanism could not ensure an adequate level of protection of EU-citizen’s personal data within the US. This made the transfer of personal data between the EU and US significantly more difficult, considering that the extensive surveillance laws and regulations made it virtually impossible for organizations to guarantee an adequate level of protection within the US.
After those developments, the EU and US went back to the drawing board to draft a new framework that would meet the privacy requirements laid down in the EU’s General Data Protection Regulation (hereinafter: ‘GDPR’). On the 25th of march 2022, the European Commission and the US government issued a joint statement, in which the parties declared that they had reached a “deal in principle” for a new Trans-Atlantic Data Privacy Framework.
This arrangement still needed to be translated to legal documents. One of the first steps taken in the legislative process, was the signing of the US Executive Order and its accompanying regulations on the 7th of October by president Biden. The Executive Order curtailed the US investigative authorities’ access to personal data, seemingly paving the way for the arrival of a new EU-US Data Framework.
The Committee
In a draft motion for a resolution, the Committee expressed concerns that the US domestic law is not fully compatible with the GDPR. One example is the lack of strong safeguards surrounding government surveillance and consumer protection. The Committee is therefore of the opinion that the US is unable to provide the exact same level of protection that EU-citizens might enjoy within the European Economic Area (EER).
Moreover, the Committee has raised concerns regarding the fact that the Executive Order places no restrictions on large-scale data collection by investigative agencies. The Committee also notes that the US president can expand the list of legitimate purposes for which personal data from EU-citizens may be used at any given time. There is no obligation to make these changes public.
The Committee therefore concludes the framework - in its current form - should not be accepted, unless substantive modifications are made.
European Data Protection Board
Shortly after, the EDPB has also shared their opinion on the draft adequacy decision. The EDPB acknowledges that some improvements have been made, such as the introduction of the principles of necessity and proportionality for US intelligence agencies. Nevertheless, the EDPB also recommends addressing the remaining concerns, whilst also requesting more clarity on several points.
The concerns relate particularly to the rights of EU-citizens, further transfers of personal data, temporary bulk collection of data, the scope of exemptions and the practical functioning of the redress mechanism. Moreover, the EDPB desires that the entry into force must be conditioned upon the adoption of updated policies and procedures by all US intelligence agencies. The EDPB also recommends that the Commission assesses these updated policies and procedures and share their findings with the EDPB.
Conclusion
With both the Committee and the EDPB still having concerns regarding the EU-US Data Privacy Framework, it might take some time before the mechanism will come into effect. Now it is a matter of time to see what changes will be made to the framework. We will continue to follow developments on this matter closely.
If you have any questions regarding this subject, please do not hesitate to contact Britt van den Branden of Stan Elsendoorn.