Since the landmark Schrems II decision of the Court of Justice of the European Union (CJEU) in summer 2020, transfers of personal data from the European Economic Area (EEA) to the US have become more challenging.
Following Schrems II, a proposed EU-US Data Privacy Framework (EU-US DPF) was painstakingly negotiated between the European Commission and the US government with the aim of simplifying transatlantic transfers of personal data. The EU-US DPF has now run into significant political push-back from the European Parliament, which has concluded that it does not provide an adequate level of protection for EU citizens. In the following, we provide an overview of the recent discussions in Brussels and give an outlook of what might be expected in the coming months.
Background
For many EEA companies, the transfer of personal data to the US is a core part of their business or operating model. However, the EU’s General Data Protection Regulation (GDPR) restricts the transfer of personal data to countries outside the EEA unless the EU Commission has adopted a so-called ‘adequacy decision’ that confirms that the level of protection for personal data is adequate in the respective non-EEA country. If there is no such decision, transfers of personal data subject to the GDPR require specific transfer mechanisms to be used or applicable derogations to be relied on, all of which are generally more challenging and complex.
In the Schrems II decision, the CJEU declared the invalidity of the so-called ‘Privacy Shield’ which had facilitated the transfer of personal data from the EEA to the US for many organisations. The predecessor of the Privacy Shield, the Safe Harbour Agreement had met the same fate and was declared invalid by the CJEU in 2015.
To replace the Privacy Shield and facilitate data transfers to the US, the European Commission’s President Ursula von der Leyen and US President Joe Biden announced an ‘agreement in principle’ with the EU-US DPF in March 2022. In light of this agreement, President Biden made statutory changes to US signal intelligence activities by, among other things, signing Executive Order 14086 on 7 October 2022. The Commission subsequently issued a draft adequacy decision on 13 December 2022, finding that the US provides an adequate level of protection for personal data under the EU-US DPF.
Draft motion for a resolution by the LIBE committee
On 14 February 2023, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) published a draft motion for a resolution for the European Parliament urging the Commission to not adopt the adequacy finding on the basis of the EU-US DPF. The LIBE Committee concluded that the EU-US DPF fails to create actual equivalence in the level of protection and called on the Commission to continue negotiations with its US counterparts. In particular, the LIBE Committee believes that further reforms of national security and intelligence laws in the US are required.
Opinion of the EDPB
The European Data Protection Board (EDPB) adopted its opinion on the draft adequacy decision on 28 February 2023. Overall, the EDPB's opinion is more positive than many had expected, especially considering the earlier conclusions of the LIBE Committee.
The EDPB’s opinion emphasises its basic expectation that the US legal framework does not need to replicate EEA data protection law for the US to qualify as a non-EEA country with an adequate level of protection.
Ultimately, the EDPB argued that the adoption of the adequacy decision for the US must be made conditional on a number of pre-conditions, including the adoption of updated policies and procedures by all US intelligence agencies. The EDPB also argued that effective oversight and enforcement of the EU-US DPF would be crucial and should be monitored closely by the Commission in future reviews of the adequacy decision.
Plenary vote of the European Parliament on the motion for a resolution
On 11 May 2023, the European Parliament held a plenary vote on the motion for a resolution presented by the LIBE Committee (see above). Before the vote on the resolution, there were several plenary votes on final amendments to the resolution that would have changed the negative stance towards the EU-US DPF to something more in line with the opinion of the EDPB. Nevertheless, those proposed amendments were rejected by the European Parliament.
The European Parliament’s resolution calls on the Commission not to adopt the adequacy decision until all the recommendations made in the European Parliament’s resolution and the EDPB opinion are fully implemented. The European Parliament expects any adequacy decision, if adopted, to be challenged before the CJEU. It therefore states that the Commission will be responsible for a failure to protect EU citizen rights if the adequacy decision (like its predecessors) is invalidated by the CJEU.
The European Parliament adopted the resolution with 306 votes in favour, 27 against, and 231 abstaining. The resolution is, however, non-binding in the adoption procedure for the EU-US DPF.
What’s next?
Given the resolution of the European Parliament, it is unclear whether the Commission will adopt the adequacy decision for the US this summer – as officials had originally expected. The Commission still needs to obtain approval by a committee composed of representatives of the EU Member States. However, the political pressure of the resolution may lead to further changes and postpone such approval, and therefore the adequacy decision until the concerns of the EDPB and European Parliament are resolved or mitigated.
Regardless of whether there will be any further changes in the EU-US DPF or US laws, it is highly likely that an adequacy decision for the US, if adopted, will be challenged before the CJEU. Data protection activist Max Schrems and his organization noyb have already announced that they might directly challenge the adequacy decision after it has entered into force.