In a recent non-binding opinion, EU regulators expressed timid positivity about the European Commission’s draft adequacy decision on the EU-US transatlantic data flows framework (Data Privacy Framework or DPF). While some fine-tuning clarifications and changes to the draft US adequacy decision are still to be expected, the path to the final adoption of the decision this year seems to finally be in sight. At the same time, EU regulators continue to raise certain long-standing concerns about US authorities’ ability to access transferred personal data as well as the redress mechanism, thereby raising the question of whether the third time will be a charm for the DPF or whether it will succumb to another Schrems III.
WHERE ARE WE NOW ON THE EU-US ADEQUACY DECISION?
Following two previous invalidations of the EU-US adequacy decision by the Court of Justice of the European Union (Schrems I and Schrems II cases), the European Commission and the Biden administration have been involved in lengthy negotiations to re-establish a transatlantic framework for data flows. These negotiations led to US President Joe Biden and European Commission President Ursula von Der Leyen announcing an agreement in principle on the new transatlantic data flow framework in March 2022.
The agreement was implemented with President Biden signing Executive Order 14086 (EO 14086) in October 2022, providing for safeguards on imported EU personal data, particularly by curtailing the access of intelligence agencies and establishing a redress mechanism. Additionally, the United States and the European Union appear to have also agreed on slight revisions to the previous privacy framework that applies to self-certified organizations importing personal data from the European Union.
The European Commission then responded in December 2022 by adopting its draft US adequacy decision, which concluded that the United States now ensures an adequate level of protection for personal data transferred from the European Union.
Recently, the European Data Protection Board (EDPB) added its voice to the chorus of commenters on the new DPF, expressing some reservations but overall applauding the efforts made to date.
WHAT DOES THE EDPB OPINION SAY?
The EDPB Opinion was adopted on February 28, 2023, and focuses on two distinct aspects of the DPF:
Changes to the US framework made by EO 14086 compared to the previous legal framework
The DPF Principles, to which certifying organizations must comply and that remain more or less unchanged from the Privacy Shield.
With Regard to the Changes Made by EO 14086
The EDPB recognized the substantial improvements made to the limits and scope of EO 14086 as compared to the previous legal framework, especially in connection with US authorities’ ability to access transferred personal data under US law and the development of a redress mechanism. Nonetheless, the EDPB Opinion expressed concern, including:
Request to condition the adoption or entry into force: The EDPB Opinion requests that the European Commission conditions its adoption and entry into force of the adequacy decision upon the adoption by the United States of updated policies and procedures to implement EO 14086 by all US intelligence agencies.
Request to clarify: While the EDPB Opinion requests several clarifications to the DPF, it does not explicitly demand certain changes prior to the adoption of the adequacy decision. For example, the EDPB Opinion notes that under EO 14086, the possibility to collect data in bulk is still permitted under US law. The EDPB Opinion asks the European Commission for clarification in relation to such bulk collection and data retention.
Request to monitor: Once the US adequacy decision is adopted, the EDPB requested that the European Commission monitor the implementation of the changes to EO 14086, specifically with respect to the practical application of the newly introduced principles of necessity and proportionality as well as the effectiveness of the remedies available to individuals.
With Regard to the DPF Principles
The EDPB Opinion also identified what the EDPB sees as issues relating to existing DPF Principles. As with the changes to EO 14086 discussed above, the EDPB requested that the European Commission clarify certain principles, but, significantly, the EDPB does not call for the European Commission to halt the adoption of the US adequacy decision. Applicability to processors: The EDPB requests that the DPF clarify which of the DPF Principles are applicable to “processors” or “agents” and which to “controllers.”
Data subject rights: The EDPB Opinion opposes the publicly available information exception to the right of access, finding it too broad. With respect to the right to object, the EDPB Opinion seeks greater clarity on how individuals can exercise that right.
Onward transfers: The EDPB Opinion invites the European Commission to clarify that intragroup transfers should not be carved out of the DPF requirements and that transfer impact assessments should be carried out in case of onward transfers to third countries.
Automated decision-making: The EDPB believes that specific rules concerning automated decision-making are needed to provide sufficient safeguards, including the right for the individual to know the logic involved, to challenge the decision and to obtain human intervention when the decision significantly affects him or her.
Enforcement mechanisms: In the EDPB’s view, oversight by the Federal Trade Commission must be effective and must be monitored through periodic reviews, including by the EDPB.
WHERE DO WE GO FROM HERE?
The next step is for the European Commission to respond to the EDPB’s requests for clarifications and concerns. The EDPB Opinion is not binding thus the European Commission could either consider adjustments to the draft adequacy decision or take the position that no changes are necessary. The European Commission could also provide written clarifications to the EDPB. Of course, if the European Commission were to agree with some or all of the EDPB’s concerns, the European Commission could try to use the EDPB Opinion as leverage to put pressure on the United States to make more changes to the DPF. If this happens, the adoption of any DPF would necessarily be pushed back.
From the viewpoint of the United States, timing is important in this process. The United States heads into a presidential election cycle later this fall, a time during which politicians like to identify “wins,” of which an adequacy decision would most certainly be one. As a result, US representatives are likely working closely with their European counterparts to try to limit any potential changes to the hard-won DPF terms. At the same time, because of the desire in the United States to have the adequacy decision finalized, the European Commission may also find the United States willing to make minor tweaks to the DPF to address any remaining concerns of the European Commission or the EDPB. Substantive changes to the DPF by the United States, however, seem unlikely.
If the European Commission does not seek any changes to the DPF, as a procedural matter, the next step would be for the European Commission’s draft US adequacy decision to be adopted by a committee of representatives of the 27 EU Member States. The European Parliament could also exercise its right of scrutiny over the adequacy decision. Only after the 27 EU Member States approve the draft adequacy decision can the European Commission adopt its final US adequacy decision. If all goes well, that could be later this year. The future will tell whether the DPF will be a long-term solution to transatlantic data flows woes.