Authors: Andreas Rüdiger, Philipp Adelberg
The debate on transatlantic data transfers, a possible adequacy decision for the US and the EU-US Data Privacy Framework (“DPF“) is gaining new momentum. On 14 February 2023, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs published its draft motion for a resolution regarding the adequacy of the protection of personal data under the DPF (to be found under RD_Statements (europa.eu)). Two weeks later, on 28 February 2023, the European Data Protection Committee (“EDPB“) published its Opinion 5/2023 on the Commission’s draft adequacy decision based on the DPF (to be found under EDPB welcomes improvements under the EU-U.S. Data Privacy Framework, but concerns remain | European Data Protection Board (europa.eu)). The DPF is intended to replace the US Privacy Shield, which was declared invalid by the ECJ’s “Schrems II” decision (C-311/18), and to facilitate data transfers from Europe to the United States. However, the opinions of the Parliament and the EDPB differ on the question of the adequate level of data protection of the DPF.
Draft motion for a resolution 2023/2501 (RSP)
In its draft motion for a resolution, the Parliament calls on the Commission to continue negotiations with the US regarding the DPF in order to establish an equivalent level of protection for personal data in the EU and the US. In its recitals for this request, the Parliament concludes that the DPF fails to establish an equivalent level of data protection.
Referring to the history of previous efforts regarding the approval of personal data transfer to the US, the legislation as well as the ECJ’s case law, the Parliament stresses the fundamental importance of personal data transfer, especially from an economic and innovative point of view. At the same time, the Parliament warns against a far-reaching restriction of data subjects’ fundamental rights.
The European Parliament criticizes the current legal framework in the US regarding the protection of personal data. Such critic is not only based on the lack of uniform data protection laws at the US federal level or the fundamentally different understanding of data protection principles compared to the position of the European legislator. While the Parliament welcomes the efforts of the US to adapt the data protection regime in its own territory in the form of an Executive Order 14086 (“EO“), it also criticizes the EO for being unclear, imprecise, and unpredictable, as it can be amended by the US President at any time. Moreover, the Parliament is also skeptical about the new options for legal protection available to data subjects.
However, regardless of the substantial criticisms made by the Parliament at this point, the potential legal effects (or lack thereof) coming from such a motion for a resolution must be taken into account. As it is the preparatory step towards the completion of a resolution, which itself is not legally binding (cf. Art. 288 para. 5 TFEU), the effects of such measures remain limited to the potential influence on EU legislation.
At the Commission’s request, the EDPB has assessed the adequacy of the level of data protection in the US based on the DPF. While this Opinion is not legally binding, it is nevertheless a procedural requirement for the Commission’s adoption of a decision due to the EDPB’s involvement in the decision-making process at the Commission’s request.
Overall, the EDPB is of the opinion that the EO, as part of the DPF, leads to significant improvements in level of protection for personal data compared to the US Privacy Shield. This opinion relates in particular to the introduction of the principles of necessity and proportionality as well as the listing of specific purposes for which data processing may take place. Additionally, the EDPB commends the new individual remedy for EU data subjects in case of data processing in breach of the rules of the DPF.
Still, the EDPB continues to raise concerns which should be addressed to begin with in order to provide further clarity and provide a solid foundation for a possible adequacy decision. These concerns relate in particular to data subjects’ rights (e.g., some exceptions to the right of access and the time limits and modalities for the right to object), the lack of key definitions, the lack of clarity regarding the application of the DPF to processors, and the broad exception for publicly available information.
In summary, the chances for an adequacy decision by the Commission being adopted based on the DPF are good in our opinion. The motion of 14 February 2023 preparing a resolution of the Parliament does not prevent this due to its lack of legally binding effects. However, the EDPB’s opinion, which is also not legally binding, is of greater importance for the debate insofar as the opinion was requested by the Commission and can be expected to have a significant influence on the further steps towards an adequacy decision. The EDPB sees substantial improvements compared to predecessor regulations and does not expect the DPF to be an exact replication of European data protection law. The remaining concerns can be addressed by further creation of transparency. The EDPB’s opinion has already been endorsed by some of the German data protection supervisory authorities, who declare the now expected adequacy decision to principally be a success for data protection (for example, the Hamburg Commissioner for Data Protection and Freedom of Information: Assessment of the adequacy decision for the US. Thomas Fuchs: “Die Wahrheit ist auf dem Platz” (datenschutz-hamburg.de)). The ball is now in the Commission’s court to consider the EDPB’s concerns and, if necessary, address them directly to the US. If the adoption of a possible adequacy decision will still be able to occur in a timely manner due to the given reasons, remains to be seen. Nevertheless, it is clear that the Commission is proactively addressing this issue.