Insights

EU-U.S. Transfers: Privacy Shield replacement not adequate says European Parliament

EU-U.S. Transfers: Privacy Shield replacement not adequate says European Parliament

May 18, 2023
Download PDFDownload PDF
Print
Share

The road to the adoption of a lasting framework for EU-U.S data transfers has been anything but smooth. Much like its predecessor, Safe Harbor, the EU-U.S Privacy Shield met its end in 2020 when the Court of Justice of the European Union (“CJEU”) ruled that the arrangement failed to comply with the EU GDPR. The replacement EU-U.S Data Privacy Framework (the “Framework”), first announced by the White House in October 2022, represents the latest attempt, albeit one which is facing increased scrutiny from EU law makers as they deliberate over the award of an adequacy decision.

In a non-binding resolution adopted on 11 May 2023 (the “Resolution”), the European Parliament called on the European Commission not to award an adequacy decision in respect of the Framework. This follows on from concerns raised by the European Data Protection Board (“EDPB”) in its non-binding opinion, adopted on 28 February 2023, concerning the sufficiency of the Framework.

Background

The European Commission launched the process for the adoption of an adequacy decision in respect of the United States and the Framework on 13 December 2022 (discussed in our previous insight), following U.S President Biden’s signing of an Executive Order on 7 October 2022. The Executive Order established: (i) legally binding safeguards to address concerns identified by the CJEU in its Schrems II ruling, and (ii) a Data Protection Review Court (“DPRC”) to protect individuals’ rights of redress, where their personal data are transferred to the United States. The Framework comprises a set of privacy principles, which the European Commission’s draft adequacy decision approved as offering protection to EU citizens’ personal data that is ‘essentially equivalent’ to that received under the EU GDPR.

Concerns raised by MEPs

While the Resolution notes that the Framework contains significant improvements, compared with previous iterations (e.g. Privacy Shield), it concludes that it does not go far enough to provide ‘essentially equivalent’ protection to that guaranteed under the EU GDPR.

Key concerns include:

  • A lack of transparency in DPRC procedures due to their decisions being classified and not made public or available to the complainant, thereby undermining data subjects’ rights to access and rectify their personal data.
  • Insufficient guarantees in relation to the independence of DPRC judges, due to the U.S President's ability to dismiss them and overrule their decisions.
  • The permissibility of bulk collection of personal data in certain cases and the failure to provide sufficient safeguards where bulk collection occurs. For example, the Resolution notes the lack of any requirement for independent prior authorisation to conduct bulk collection, alongside the absence of clear and strict data retention rules.

The Resolution concludes that, in order for the European Commission to satisfy its obligation to assess adequacy based on the practical application of legislation and guidelines in the relevant third country, it can only adopt an adequacy decision once steps have been taken by the U.S to ensure that the commitments specified in the Executive Order have been delivered. Specifically, only once (i) the U.S Intelligence Community has updated its policies and practices in line with such commitments (which it has until October 2023 to do) and (ii) the U.S Advocate General has named the EU and its Member States as qualifying countries for eligibility to access the remedies available under the DPRC. 

The Resolution also underlines the need to ensure that the Framework is ‘future-proof’ and can withstand legal challenges, which appear inevitable. To this end, the European Parliament calls on the European Commission not to grant an adequacy decision based on the Framework and instead, to negotiate a regime that is likely to be held up in court. While the Resolution is not binding, it will be considered by the European Commission (alongside the non-binding opinion issued by the EDPB) in determining whether to formally issue an adequacy decision in respect of the Framework.

 

Related Practice Areas

  • Data Privacy & Security

Meet The Team

Meet The Team

Meet The Team

This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.