May 20. 2024. 12:09

The Daily

Read the World Today

EU-US data transfer framework: European privacy authorities put forth caveats


The European Data Protection Board (EDPB) welcomed with reservations the new Data Privacy Framework, meant to provide the legal framework for transatlantic data flows.

The Board that gathers the EU data protection authorities was established under the General Data Protection Regulation (GDPR) to provide guidance and resolve disputes related to cross-border enforcement.

Its tasks also include advising the European Commission on data adequacy decisions, an instrument that recognises the privacy regime of a foreign jurisdiction as adequate by the EU’s data protection standards.

“While we acknowledge that the improvements brought to the US legal framework are significant, we recommend to address the concerns expressed and to provide clarifications requested to ensure the adequacy decision will endure,” said the EDPB Chair Andrea Jelinek in a statement on Tuesday (28 February).

“For the same reason, we think that after the first review of the adequacy decision, subsequent reviews should take place at least every three years and we are committed to contributing to them.”

European Commission publishes draft adequacy decision on EU-US data flows

The European Commission initiated the formal process for adopting an adequacy decision on the EU-US Data Privacy Framework on Tuesday (13 December). But the third attempt to underpin transatlantic data transfers is bound to face more legal challenges.

The draft decision …

Data Privacy Framework

In December, the EU executive adopted the draft adequacy decision on the United States, certifying the EU-US Data Privacy Framework that resulted from months of lengthy negotiations between the European Commission and the US administration.

In March 2022, US President Joe Biden and European Commission President Ursula von Der Leyen announced an agreement in principle to re-establish a transatlantic framework for data flows, an arrangement that the EU Court of Justice subsequently invalidated twice.

The agreement was implemented with Biden’s signature of an executive order in October to put safeguards on people’s personal data which is under EU jurisdiction, particularly by curtailing the access of intelligence agencies and establishing a redress mechanism.

The EU Court invalidated the previous Privacy Shield in the landmark Schrems II ruling because, as revealed by Edward Snowden, the US intelligence agencies had disproportionate access to EU personal data without EU citizens retaining the ability to seek legal redress.

The executive order mandates that the data-gathering activities of the US intelligence activities can only be carried out against pre-defined national security objectives and regarding the principle of proportionality, people’s privacy and civil liberties.

The Civil Liberties Protection Officer (CLPO) role was introduced in the US Office of the Director of National Intelligence to enforce these measures, verify complaints and issue binding decisions.

Moreover, a Data Protection Review Court was established within the Attorney General office, the US equivalent of the European justice ministry. This court is meant to provide an independent legal review of the CLPO’s decisions.

President Biden signs executive order for a new EU-US data transfer framework

President of the United States, Joe Biden, has signed an executive order for a new EU-US data transfer framework which will introduce safeguards for US intelligence services’ access to European personal data, overcoming the stumbling block that saw the mechanism fail in 2020.

EDPB opinion

Although not legally binding, the Board’s opinion could be highly influential as the Data Privacy Framework will almost certainly be challenged in court as Max Schrems, the Austrian activist who brought down the two previous agreements, has already announced a new legal battle.

The European authorities pointed to concerns regarding some rights of data subjects, onward transfers to third countries, the scope of the exemptions to the right of access, temporary bulk collection of data and how the redress mechanism will work in practice.

On the last point, Schrems also questioned the independent nature of the Data Protection Review Court since it will technically be under the executive brand. In his view, this arrangement is just a remake of the Ombudsperson figure the EU Court deemed inadequate under the previous verdict.

By contrast, the EDPB considers the new arrangement a significant improvement compared to the previous one, as it introduces more safeguards for EU citizens and provides more effective powers to remedy violations.

However, the European authorities stressed that the practical functioning of the redress mechanism would need to be closely monitored, together with applying the newly introduced principles of necessity and proportionality.

In addition, the Board asked for more clarity regarding the temporary bulk collection, which the Executive Order allows without a court order, and the retention and dissemination of data collected indiscriminately.

The European privacy watchdogs also noted the similarity of the new Data Privacy Framework with the previous Privacy Shield, stressing how some concerns remain concerning the absence of critical definitions and the lack of clarity about how the framework would apply to organisations processing personal data.

The broad exemption to the right of access to publicly available information, the lack of specific rules on automated decision-making and profiling and the risk of undermining data protection safeguards with transfers to third countries were also mentioned as points of concern.

For the Board, adopting the adequacy decision should be conditional on some additional policies and procedures to implement the Executive Order. The Commission is invited to assess these updated policies and share its assessment with the EDPB.

Schrems: round three

Last month, an executive order detailed the EU-US Privacy Shield 2.0, a new legal framework for transatlantic data flows made necessary by the Schrems II ruling. We caught up with Max Schrems, the privacy activist who gave the name to …