Recent comments on the EU-U.S. Data Privacy Framework by the EDPB and the LIBE committee

In our last update, we discussed the ‘agreement in principle’ that was reached between the EU and US on the Privacy Shield replacement. In December last year, the European Commission published a draft adequacy decision (the “Draft Decision”) endorsing the proposed EU-US Data Privacy Framework (“DPF”), which is the third attempt at a data transfer mechanism for transatlantic data flows, after the Safe Harbour and Privacy Shield, which were invalidated by the CJEU in 2015 and 2020 respectively. 

Earlier this year, there have been two developments in relation to the Draft Decision. Firstly, the Members of the European Parliament making up the Committee on Civil Liberties, Justice and Home Affairs (the “LIBE committee”) came forward with a draft motion which states that the DPF “fails to create actual equivalence in the level of protection” and urges the European Commission “not to adopt the adequacy finding.”

On 28 February 2023, the European Data Protection Board (the “EDPB”) issued its opinion 5/2023 on the Draft Decision on the protection of personal data under the DPF. In the opinion, the EDPB welcomed substantial improvements in the proposed DPF but also stated that a number of aspects of the DPF need to be clarified, developed or further detailed. Therefore unlike the motion, the EDPB opinion was relatively positive about the DPF, recognising that the test of essential equivalence under the EU GDPR does not require data protection safeguards in the US to be identical to those in the EU.

In a resolution passed by the LIBE committee recently, they continued to raise concerns over the DPF, predicting that the DPF won’t survive a legal challenge and carry on pressing for meaningful reforms.

Modern business practices require that organisations rely upon cloud or other IT-related services provided by US-based technology vendors on a daily basis to transfer personal data across borders. Therefore, legal certainty in this area is required for organisations to function efficiently.

Key points arising from the EDPB’s opinion

• Necessity and Proportionality: the EDPB welcomed the introduction of the concepts of necessity and proportionality with regard to US intelligence-gathering of data, although close monitoring of its practical application is needed.
• Bulk collection of data: EDPB expressed concerns about the lack of requirement for prior authorisation by an independent authority for bulk collection for data for intelligence purposes.
• Redress mechanism: EDPB stated the DPF introduces “more effective powers to remedy violations, including additional safeguards for data subjects”. However, clarifications on certain aspects, such as access to information by judges, may still be required.
• Data Protection Review Court: EDPB recognised significant improvements relating to the powers of the DPRC and its enhanced independence compared to the Ombudsperson.
• Commercial principles: EDPB pointed out a number of principles remain unchanged under the Privacy Shield and as such, the same concerns about the lack of critical definitions remain.
• US National Security: EDPB proposed that the European Commission adopt the draft decision on the condition that US intelligence agencies implement updated policies and procedures that meet the requirement of the European Essential Guarantees (in relation to surveillance measures).

Given the substantial improvements that have been incorporated, expectations are high amongst commentators that the future DPF will be formally entered into in due course. That being said, the EDPB calls on the need for the first review and subsequent reviews of the adequacy decision to take place every three years and has committed to contributing to them.

Commentary by the LIBE committee

EU member states and the European Parliament are both tasked with review of the DPF as part of the approval process. “We are not convinced that this new framework sufficiently protects personal data of our citizens, and therefore we doubt it will survive the test of the CJEU (EU Court of Justice),” committee member Juan Fernando López Aguilar said in a recent statement. The LIBE committee takes the view that the framework still allows for bulk collection of personal data in certain cases; does not make bulk data collection subject to independent prior authorisation and does not provide for clear rules on data retention. Juan stressed that the Commission must continue to address the concerns raised by the EDPB and the Civil Liberties Committee, “even if that means reopening the negotiations with the US.”

Next Steps

We now await a final vote by the European Parliament on the decision, which is expected in the coming weeks. The assembly and EU countries will offer non-binding opinions after which the DPF is to be finalised later this year.

How can Burges Salmon help?

If you would like any further information, please contact David Varney or another member of our Data Protection team.