Update: EU-US Data Protection Framework
During their recent four-day visit to the United States capital, members of the European Parliament's Civil Liberties Committee (CLC) embarked on a mission to discuss and exchange views with various stakeholders regarding critical policy issues. The delegation had fruitful meetings with key representatives from the House of Representatives, the Senate, government departments, judicial bodies, non-governmental organizations, and think-tanks. The topics discussed encompassed privacy and cybersecurity amongst others, and more particularly transfers of data between the European Union (EU) and the U.S. This visit not only fostered bilateral cooperation but also demonstrated the commitment of both the European Union and the United States to address these vital concerns collaboratively.
The European Union’s Concerns with the Data Privacy Framework
As a reminder, ever since the Court of Justice of the EU invalidated the EU-U.S. Privacy Shield in its 2020 ruling Shrems II, the authorities on both sides of the Atlantic had been working towards reaching an agreement to address the CJUE’s concerns and facilitate cross-border data transfers.
In March 2022, the President of the European Commission, Ursula von der Leyen, along with U.S. President Joe Biden, had thus announced an agreement in principle on a new EU-U.S. Data Privacy Framework, after over a year of negotiations. This was followed by the adoption, in October 2022, of an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ which has led the European Commission to launch the process to adopt an adequacy decision.
Therefore, on 11th of May 2023, the European Parliament voted to adopt a resolution on the adequacy of the protection given by the EU-U.S. Data Privacy Framework, as signed into law by President Biden. This Framework specifically called on the European Commission to help the U.S. authorities in creating a mechanism that would ensure equivalence and provide the adequate level of data protection required by EU law.
The European Parliament’s resolution highlighted key issues with the Framework. Firstly, the EU Parliament is still concerned that if the Framework was adopted as is, it could be invalidated by the Court of Justice of the European Union, which could disrupt European businesses with the lack of legal certainty.
Moreover, the resolution noted that President Biden’s Executive Order does not manage to provide sufficient safeguards in the case of bulk data collection. It points particularly to the specific concern that without further restrictions on dissemination to U.S. authorities, law enforcement authorities would be able to access data they would otherwise have been prohibited from accessing. It also shares other concerns expressed by the EDPB regarding the rights of data subjects, the lack of clarity about the application of the principles to processors and the need to avoid onward transfers undermining the level of protection.
Finally, major concerns were raised over the proposed new redress mechanism, the Data Protection Review Court (DPRC) – more particularly regarding the fact that this Court’s decisions would remain secret, with no citizen’s right to access or redress, and that the U.S. President could dismiss the Court’s judges and overturn decisions.
Parliament concludes that the Framework fails to create essential equivalence and calls on the Commission to continue its negotiations with the U.S. on the Framework and to not adopt an adequacy finding until all the recommendations made in the resolution and the EDPB opinion are fully implemented. It further calls on the Commission to act in the interest of EU businesses and citizens by ensuring that the proposed framework provides a solid, sufficient and future-oriented legal basis for EU-U.S. data transfers.
What does this mean for Companies Wishing to Transfer data to and from the US?
While the EU has addressed concerns on President Biden’s Data Privacy Framework, it has not totally shut the door on the proposal. This is further evidenced by the fact that an EU delegation has gone to the U.S. to meet local stakeholders and properly communicate their concerns. The hope is of course that these discussions will be fruitful and a solution to allow EU-U.S. data transfers will be found.
In the meantime, companies must keep taking precautions while engaging in trans-Atlantic data transfers. This of course includes relying on Standard Contractual Clauses (SCCs), as adopted by the European Commission, and Transatlantic Impact Assessments (TIAs) in order to facilitate lawful and secure data flows. Indeed, SCCs provide a standardized contractual framework that includes data protection safeguards, thus ensuring that personal data remains protected during transfers. TIAs, on the other hand, assist companies in assessing the potential risks and impact on data subjects’ rights before engaging in transatlantic data transfers. As businesses navigate these requirements, implementing SCCs and TIAs are essential steps to maintain compliance and responsible data practices. Additionally, it appears crucial for companies to implement supplementary technical, organizational and contractual measures to ensure data protection – and review such measures at appropriate intervals.
How Can Gerrish Legal Help?
Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. As a digital commercial law firm, Gerrish Legal can help businesses navigate and comply with EU data protection regulations, whether it be on the data controller or the data processor side of affairs.
We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements.
We are here to help you, get in contact with us today for more information.
Article by Mel Hzeg @ Gerrish Legal