While the much-anticipated EU-US Data Privacy Framework draft adequacy decision (DPF) was published during the festive period, the European Parliament’s draft Motion for a Resolution published on 14 February 2023 is no love letter. For those who followed the progress of the UK through the many steps on the road to EU adequacy, this Motion is unlikely to come as any surprise. The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) was equally damning of the European Commission draft decision for the UK, as it is of the Commission’s draft in favour of the US.
Despite the many months of time and effort that have been invested to get to this stage and to address the issues raised in the Schrems II litigation, still LIBE believes the DPF “fails to create actual equivalence in the level of protection” provided to EU data subjects under the GDPR. LIBE “acknowledges” that efforts have been made to address certain concerns, but has raised objections to the DPF, namely:
- The lack of redress for EU citizens – the Data Protection Review Court (DPRC) is part of the executive branch, not the judiciary and therefore its independence is in question; the decisions will be classified and not available to the complainant or the public; there is no obligation to “notify the complainant that their personal data has been processed, thereby undermining their right to access or rectify their data”; there is no right of appeal to a Federal Court and therefore there is no possibility for the complainant to claim damages.
- The continued bulk surveillance by intelligence agencies for national security purposes - LIBE “regrets” the Executive Order “does not prohibit the bulk collection of data by signals intelligence”; notes the President’s ability to “expand” the list of legitimate national security objects, and, the fact this need not be made public; and the Executive Order does not apply to data accessed through “the US Cloud Act or the US Patriot Act, by commercial data purchases, or by voluntary data sharing agreements”.
- The meaning of “necessity” and “proportionality” – while these terms are now included in the Executive Order, the concern is about how these concepts are likely to be interpreted differently under US and EU law, with the US interpretation of “proportionality” being much broader in scope than the EU view.
- The lack of federal privacy legislation – LIBE points out “unlike all other third countries” that have an EU adequacy decision under the GDPR the US does not; the status of the US Executive Order is also a concern as it can be amended or revoked at any time by the US President; and there is no sunset clause (as was included in the EU’s adequacy decisions for the UK).
- Monitoring and Review – any adequacy decision should include mechanisms for monitoring and review to “ensure that decisions are future proof and that EU citizens fundamental right to data protection is guaranteed”.
LIBE met again in early March to consider the DPF with a view to finalising their draft Resolution by the end of March. The European Parliament will then vote on this Resolution. It is important to remember while this Resolution may be persuasive, it is not binding on the EU Commission.
Warmer regards?
Meanwhile over at the European Data Protection Board (EDPB) things look a little rosier. The EDPB published their Opinion on 28 February 2023 and the tone was much more upbeat and in keeping with what we saw when the draft DPF adequacy decision was announced. The EDPB noted “the substantial improvements the EO [Executive Order] offers compared to the previous legal framework, in particular as regards the introduction of the principles of necessity and proportionality and the individual redress mechanism for EU data subjects.” However, it is not all plain-sailing as the EDPB also has expressed concern and wishes clarification on several points, namely “to certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism” - quite a familiar (and not unexpected) list!
The EDPB also wishes to see updated policies and procedures for all US Intelligence Agencies to fully implement the Executive Order. The EDPB goes as far as to suggest the adoption and entry into force of any finding of adequacy should be conditional on the adoption of such updated policies and procedures.
So what happens next?
While the European Parliament continues to work on the draft Resolution, there are other hurdles yet to overcome. First the outstanding issues in the EDPB’s Opinion, will they be addressed? It is important to note even if they remain unresolved, the EDPB’s Opinion is merely persuasive rather than binding on the EU Commission. Next there will be a vote of a committee of representatives from the EU Member States where they will be asked to give the adequacy decision the green light. It is important to remember that an adequacy decision is an implementing act, therefore the European Parliament has limited power to revise or block such an act, and in reality they can only object if they believe the EU Commission has overstepped its implementing powers. As we saw from the UK’s experience, even if both the European Parliament and the EDPB do not come out in favour of the DPF, the EU Commission may well go ahead anyway and approve the DPF granting the US adequacy.
So where are we? Are we actually any closer? Will this grant the certainty businesses want and need? Well these are the million (or more accurately “multi-billion”) dollar/euro questions. We are a couple of steps further along the path but this is a process that needs to reach a conclusion, and a positive one at that! We are still seeing headlines and commentary from big tech about the need to find a workable solution in order for their products and services to be available in the EU, with mentions of blackouts if a workable solution is not found. Given the investment from the EU and the US to get to this stage and the economic opportunities such a deal will bring, there is a clear intention from both parties to reach agreement.
As for timings, Justice Commissioner Didier Reynders has been reported as saying we may have an adequacy decision by “July 2023”. Much is being made of this being three years after the Schrems II decision, but emphasis is being placed on the fact both the EU and US have taken time with the negotiations to address the CJEU’s concerns in order that this new DPF will withstand any potential Schrems III type challenge.
So for now it is a case of continuing to do all the things we recommended in our article about the Executive Order found here and watching this space with fingers crossed!
European businesses need and deserve legal certainty.
https://www.europarl.europa.eu/doceo/document/LIBE-RD-740749_EN.pdf