The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (‘LIBE Committee’) and the European Data Protection Board (‘EDPB’) have recently issued opinions on the European Commission’s draft US adequacy decision (‘Draft Adequacy Decision‘) for the EU-US Data Privacy Framework (‘Framework‘). Both believe there is more work to be done and additional measures to be taken to achieve equivalent protection. This dampens expectations that the data transfers to US companies self-registered under the Framework are within reach.
LIBE Committee calls for Draft Adequacy Decision to be scrapped
On 14 February 2023, the LIBE Committee found that the Framework does not result in equivalent protection for personal data in the US, and has called on the Commission not to grant an adequacy decision for the Framework on this basis. Some of the shortcomings identified by the LIBE Committee include:
- US intelligence activities need only be proportionate to the ‘validated intelligence priority’, which will be interpreted under US law. The US interpretation of proportionality is far broader than in the EU, meaning that there is still a very broad justification for systemic surveillance by US intelligence agencies on EU data subjects.
- Executive Order 14086 (‘Executive Order‘) does not prohibit the bulk collection of data by intelligence agencies (including the content of communications), and the list of legitimate national security objectives can be expanded by the US President in secret.
- The proposed Data Protection Review Court’s (‘DPRC’) decisions will be classified, meaning that data subjects would be denied their rights to access/rectify their data. The DPRC is also part of the executive branch rather than the judiciary, meaning it is not independent and impartial within the meaning of Article 47 of the EU Charter of Fundamental Rights.
- There is still no federal data protection law in the US, and the Executive Order is subject to unilateral amendment by subsequent US Presidents.
The EDPB says the Framework needs more work
On 28 February 2023, the EDPB issued its opinion on the Framework. It noted that equivalence as required under the GDPR did not mean that the US had to enact identical data protection laws. It welcomed the establishment of the DPRC and found sufficient safeguards in place to show its independence.
However, it did express concerns in relation to:
- The continued use of bulk collection of personal data under the Executive Order.
- The secrecy of DPRC decisions and its standard response to data subjects without exceptions.
- The inability of the courts of general jurisdiction in the US to apply the Executive Order, so despite them being listed in the Executive Order they cannot serve as a recourse mechanism.
- The lack of controls on onward transfers may undermine the level of protection in place with the original recipient in the US.
- The broad number and scope of exemptions from adherence to the principles set out in the Framework.
- The practical application of the principles of necessity and proportionality set out in the Executive Order and limited ability to monitor their application due to the classified nature of the reports by oversight bodies.
The EDPB recommended that the adequacy decision should be conditional upon the adoption of the policies and procedures set out in the Executive Order by all US intelligence services.
The Draft Adequacy Decision will now need to pass through a committee composed of representatives of EU Member States and be subjected to scrutiny from the European Parliament. Despite the criticisms of the Framework, the expectation is that the Commission will take a pragmatic view to permit EU-US data transfers to further business interests between the nations. The draft adequacy decision already has mechanisms for an emergency repeal procedure in case the Executive Order removes the agreed protections. On the current timeline, the optimistic prediction is that adoption may occur in the summer 2023.