.svg)
The European Commission has concluded that US data protection rules are on par with the EU GDPR, paving the way for safe transatlantic data flows.
Earlier this week (December 13), the commission announced its draft adequacy decision on the US, concluding that the US legal framework “provides comparable safeguards to those of the EU”.
The draft decision states that “the United States ensures an adequate level of protection” for personal data transferred from the EU to US companies.
“Today’s draft decision is the outcome of more than one year of intense negotiations with the US,” Didier Reynders, Commissioner for Justice commented, adding that the future data-sharing framework will “help protect the citizens’ privacy while providing legal certainty for businesses”.
Under the new EU-US Data Privacy Framework, companies must comply with a detailed set of privacy obligations, for instance, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected.
They must also ensure continuity of protection when personal data is shared with third parties and will provide EU citizens with several redress avenues if their personal data is handled in violation of the framework.
In addition, the commission says the US legal framework provides several limitations and safeguards regarding access to data by US public authorities, particularly for criminal law enforcement and national security purposes.
These safeguards were in part established by an executive order signed by US President Joe Biden on October 7, which set out new principles for signals intelligence gathering, and a new attorney general regulation that set up a Data Protection Review Court, which will handle EU citizens’ complaints regarding US signals intelligence activities.
According to the commission, these two measures, which were explicitly designed to address issues raised by the Court of Justice of the European Union (CJEU) when it struck down the previous data-sharing framework, successfully implemented into US law what the EU and the US agreed in principle in March.
Businesses hail the decision while privacy experts voice concerns
Many industry groups have welcomed the draft decision.
“The Data Privacy Framework is a critically important step to ensure our economies remain connected,” said Marjorie Chorlins, the US Chamber of Commerce senior vice president for Europe.
Jason Oxman, president and CEO of the Information Technology Industry Council (ITI) stressed that “data flows underpin $7.1trn in economic relations between the EU and the United States” and urged EU member states to work with EU institutions to adopt the draft adequacy decision.
According to Oxman, the draft decision now enables authorities and businesses to prepare to move forward “with a solid and reliable framework that protects fundamental rights of citizens, provides legal certainty for businesses, and safeguards the continuity of commercial activities involving the movement of data across borders.”
Meanwhile, several digital rights advocacy groups and privacy experts have raised doubts that the draft decision could not prevail.
“It's too early to celebrate,” according to Rie Aleksandra Walle, privacy specialist and founder of NoTies Consulting.
“The final decision isn't expected before Spring 2023, after which it can be challenged”, she stressed.
Before the decision becomes final, the European Data Protection Board (EDPB) has to hand down an opinion and a committee of EU member state representatives must give the green light.
The European Parliament may also decide to examine the decision.
The EU “seems split between those emphasising personal data protection and privacy vs. doing business with the US,” according to Walle.
“It's no surprise that the Commission wants to get a deal in place, like twice before, but I'm not so sure the EDPB will agree when they are now set to do their review,” she said although noting that the opinion will not be binding on the commission.
The fact that US surveillance laws have not been changed directly may raise concerns, as well as the validity of executive orders, which can be withdrawn without public knowledge, Walle explained.
Although the framework is welcome to the extent that it would provide “some long-awaited breathing space” for US businesses, Walle said there is a risk that “we'll be looking at a Schrems III situation with yet another round in the CJEU.”
noyb, the data privacy advocacy group whose honorary chair Max Schrems played a key role in the invalidation of the two previous frameworks, gave a harsh dress down to the announcement.
According to the group, the executive order “seems to fail” on both requirements raised by the CJEU since there is continuous "bulk surveillance" and a "court that is not an actual court”.
“As the draft decision is based on the known executive order, I can't see how this would survive a challenge before the Court of Justice,” Schrems said.
“It seems that the European Commission just issues similar decisions over and over again — in flagrant breach of our fundamental rights," he added.
Similar doubts have been voiced by the Electronic Privacy Information Center (EPIC) which said that the executive order is a “meaningful but insufficient step forward” that may leave the door open to the misuse of personal data.
Once the final adequacy decision is adopted, companies can apply for certification from the US Department of Commerce under the new framework, which will then give them the certainty that their transatlantic data transfers are in compliance with data protection rules.
