Last year on 25 March, the European Commission and the United States announced that an agreement in principle had been reached on a transatlantic data privacy framework (the Principle Agreement) that should address the concerns of the European Court of Justice as expressed in its Schrems II judgment of 16 July 2020 (ECLI:EU:C:2020:559). The so-called EU-U.S. Privacy Shield had been annulled by that judgment and cannot be used as a valid mechanism for the transfer of personal data from the EU to recipients in the U.S. since then.
The Principle Agreement was concluded against the background of Article 45 of the General Data Protection Regulation (GDPR), which allows the European Commission to take an adequacy decision if a third country, in this case the U.S., provides an adequate level of data protection equivalent to that of the European Union. The third country's data protection must then be of a comparable level to that under the GDPR. For European companies, the practical consequence of such an adequacy decision is that – apart from the 'regular' requirements of the GDPR – no additional requirements apply when transferring personal data to a recipient in the relevant 'adequate' third country. Currently, according to the European Commission, (only) 13 third countries offer an adequate level of data protection. This means that for the vast majority of other non-EU countries, additional measures are necessary.
A tabled motion
Despite the positive press statement from the European Commission and the U.S. on reaching the Principle Agreement, jointly praised by the parties as an "unprecedented commitment on the U.S. side" and "another demonstration of the strenght of the U.S.-EU relationship", criticism has now come from the European Parliament. Indeed, on 14 February 2023, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (code: LIBE) tabled a motion on the inadequacy of the protection provided by the proposed EU-U.S. Data Privacy Framework (the Motion).
In brief, LIBE objects in the Motion to the arbitrary access that U.S. intelligence agencies (may) have to electronic communications in the European Union. It substantiates this with references to case law of the European Court of Justice, the GDPR, the EU Charter, various political decisions in the EU and U.S. and recommendations of the European Data Protection Board (EDPB), among others. Even the revelations by Edward Snowden of the National Security Agency's surveillance practices on EU citizens are cited, which is still sensitive for the U.S. government.
Adequacy decision
Central to the Motion is Executive Order 14086, signed by President Biden on 7 October 2022 (the EO), which LIBE criticises. The EO constitutes an implementation of the Agreement in Principle and thus should address the previous shortcomings of the annulled Privacy Shield. However, according to LIBE, the EO does not sufficiently align with European definitions for necessity and proportionality. The EO also does not apply to personal data obtained by public authorities through means other than the EO. Such other ways for public authorities to access European data are, for example, through the U.S. Cloud Act or the U.S. Patriot Act, through commercial purchase of data or through voluntary data sharing. In addition, the EO leaves discretion to the U.S. president to add legitimate purposes (optionally in secret for the sake of state security) for which mass surveillance can be used. Also, according to LIBE, the U.S. complaints commission, the Data Protection Review Court, does not meet the standards of independence and impartiality under Article 47 of the EU Charter. Finally, LIBE poses that the lack of federal data protection legislation impairs the transparency and consistent application of data protection law within the U.S.
LIBE concludes that the proposed EU-U.S. Data Privacy Framework (as currently elaborated in the Agreement in Principle and the EO) fails as well to create real equivalence between the EU and the U.S. in terms of data protection. It therefore advises against the European Commission taking an adequacy decision for the transfer of personal data to the U.S. It calls on the European Commission to continue negotiations with the U.S. to arrive at a (transfer) mechanism that (does) provide an adequate level of data protection. To get the regulatory framework in the U.S. – where there is no federal legislation on privacy and data protection –, at the suggestion of LIBE, in line with the GDPR and the EU Charter as interpreted by the European Court of Justice, important steps still need to be taken.
On 1 March 2023, LIBE will debate the Motion and the forthcoming opinion of the EDPB on the proposed framework.