The replacement for Privacy Shield looks to have hit at least a small bump in the road, as a European Parliament Committee has found that the proposed EU-U.S. Data Privacy Framework does not achieve equivalence with EU data protections and should not be used to grant an adequacy decision to the US.
The opinion comes from the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs. This does not derail the proposal, as the full EU Parliament is expected to vote on it sometime in the first half of 2023. It does outline key objections that are expected to be raised, however, chief among them that the US remains without a federal data protection law that offers parity with the terms of the General Data Protection Regulation (GDPR).
EU-US data transfer framework sees pushback in EU Parliament
The central objection raised is a predictable one, and one that some analysts believe will inevitably cause the EU-US data transfer proposal to fail yet another court challenge if it makes it to implementation: the lack of a federal-level data privacy law in the US, and the legal ability of any sitting US president to amend the executive order that is supposed to stand in for it.
Executive Order 14086 on Enhancing Safeguards For United States Signals Intelligence Activities was signed in October 2022 for the purpose of providing a legal cornerstone on which a new EU-US data transfer agreement could be built. The order attempts to address some of the specific inadequacies raised in the Schrems II lawsuit, such as the lack of redress for EU data subjects that have their personal information accessed by the US government. However, the committee found that the protections the EO offers are not proportionate, the proposed Data Protection Review Court would not be sufficiently independent or impartial, and the risk of a president amending the EO in the future is an unacceptable term.
The committee stated that it wants to see “meaningful reforms” in any EU-US data transfer agreement, particularly as concerns intelligence gathering and national security purposes. The issue that is essentially at the root of the problem is the 2013 revelations by Edward Snowden that US intelligence agencies covertly gather up the data of foreign citizens not suspected of crimes or involved with investigations, which prompted privacy crusader Max Schrems’ initial court challenge to the prior Safe Harbor data transfer agreement.
Data transfer agreement faces very uncertain prospects without US federal law
Future draft opinions may be added by the EU Parliament and the European Data Protection Board before the European Commission makes a final decision on the proposed EU-US data transfer rules. The issues brought up here are likely to be reiterated at some point, as they are also the points that will almost certainly be raised by Schrems in an extremely likely court challenge to any framework that is formally adopted.
As analysts have noted, the data privacy laws of each country do not have to be identical for an EU-US data transfer framework to withstand a legal challenge in the EU courts; GDPR equivalency by the US is simply the quickest and most sure path to managing to get an agreement in place. But that prospect still seems to be distant, despite bipartisan interest in establishing federal law as individual states grow tired of waiting and adopt their own standards. The committee’s intent may be to prompt revision to strengthen the proposal, but that might delay the desired timeline of getting the agreement to the EU Commission for final approval by July of this year.
Legal observers had largely expected the EU-US data transfer to sail through the adoption process despite these obvious concerns, and the chips would fall where they may with the inevitable Schrems court challenge. Signs point to the EU Commission opting to adopt the framework anyway (as these difficulties were not unexpected), but the committee’s decision does now raise the prospect of delay and revision to shore up the terms. This would be a very likely outcome if the EU Data Protection Board’s opinion, which is expected to be issued shortly, also advises against adopting the framework.
One sticking point that could potentially be addressed without additional heavy legislation from the US side would be improvement to the structure of the DPRC, the entity meant to provide transparency and redress to EU data subjects. As it is presently constituted the special court does not provide much in the way of transparency, does not guarantee that the advocate who handles complaints will be independent of the US government, and does not offer a means of appealing decisions. EU residents are also not automatically provided with notification of US processing of their data.