Introduction

In our first article of the short series of articles dated 29.03.2023, we already addressed the criticisms of the European Data Protection Board (“EDPB”) on the draft adequacy decision (“Data Privacy Framework”).

In the following, we would like to go into more detail and present further criticisms that have arisen from other bodies.

Brief review: what is and should the Data Privacy Framework be?

In principle, the Data Privacy Framework (“DPF”) provides for a variety of principles and rules to ensure an adequate level of data protection in the transfer of personal data. The new principles, like the previous Safe Harbor Principles and the Privacy Shield Principles, are aligned with the General Data Protection Regulation and are intended to establish a level of data protection comparable to the EU.

The principles were developed in consultation by the European Commission, industry and other stakeholders and are described as the “key component” of the DPF.

On the one hand, they are intended to provide a “ready-to-use mechanism” for data transfers from the EU to the US, and on the other hand, to secure and protect personal data transferred in this way in accordance with EU law. One could therefore say that the principles are a “light” version of the rights and obligations of the GDPR.

However, there is quite justified criticism of the principles, especially from the EDPB as well as from Members of the European Parliament (MEPs).

While the EDPB welcomes the numerous updates to the Principles for the processing of personal data, it also notes that a number of principles remain essentially the same as they were under Safe Harbor and the Privacy Shield (Article 29 Working Party, Opinion 01/2016 on the EU – U.S. Privacy Shield draft adequacy decision).

For this reason, some criticisms that already existed with Safe Harbor and Privacy Shield remain, such as the exceptions to the right of access, the lack of key definitions or the lack of clarity on how the principles apply to processors.

Furthermore, the EDPB directly asks the Commission to be more concrete. Among other things, there should be a clear limit on exceptions to the obligation to comply with the principles.

Furthermore, the opinion also stresses the importance of effective oversight and enforcement of the Privacy Shield in the US.

The EDPB also announces its intention to closely monitor the effectiveness of the newly created remedies available to data subjects.

At the same time, the EDPB also expresses some concern about, among other things, the possible bulk collection of data or the lack of monitoring when it comes to the issue of compliance with the requirements of the GDPR.

Overall, however, the EDPB still sees a need for clarification, especially with regard to practical implementation.

This quite critical position has now also been endorsed by MEPs in their opinion published in April (see press release of 13.04.2023 and resolution of 11.05.2023).

They also shared the view that the proposed DPF, although an improvement compared to the previous mechanisms, was not sufficient to justify an adequacy decision for the transfer of personal data. Their comments made it clear that the European Commission should not issue an adequacy decision for the US on this basis.

Like the EDPB, MEPs point out that the new regulation does not provide sufficient guarantees for a transfer.

The members essentially agree with the points of criticism already made by EDPB, such as the existing possibility of mass collection of personal data, the possibility of US authorities accessing personal data of EU citizens or the fact that the decisions of the court created by the US Executive Order (14086) remain superficial and non-transparent for the data subject and thus violate the right of access and rectification.

MEPs recommend finding a framework that ensures the legally secure transfer of data between the EU and the US. In particular, more legal certainty should be created instead of more legal uncertainty. A DPF set up on shaky legs would risk suffering the fate of its predecessors. 

Also, according to NOYB (“None Of Your Business”), the European Centre for Digital Rights, an adequacy decision in its current form would not withstand review by the European Court of Justice (“ECJ”). This would restart the cycle of negotiations on secure data transfer between the EU and the US.

Conclusion

Thus, the question remains open whether the European Commission will adopt the adequacy decision for data transfers on the basis of the DPF currently in force, despite the criticisms of EDPB and MEPs.

However, provided the adequacy decision is issued, European companies can rely on it to transfer data to the US and do so without having to put in place additional data protection safeguards.

We will keep you informed about further developments.