The EU–US Data Privacy Framework has hit another roadblock. Earlier this month, the European Parliament voted in favour of a reopening negotiations with the US regarding the framework and adequacy decision, which is designed to create a legal mechanism for transatlantic data transfers.
The parliament voted 306–27, with 231 abstentions, in favour of the decision. It follows calls from EU lawmakers to reconsider the proposal, which was finalised last year despite many concerns about its validity.
Legislators argued that the framework doesn’t comply with EU law. They pointed in particular to its failure to clamp down on the rights issued under US law for government to monitor personal data transfers, which contradicts the rights enshrined in the GDPR (General Data Protection Regulations).
Their concerns were solidified following a motion for a resolution tabled by Juan Fernando López Aguilar, the chairperson of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs.
They expressed their concern that the framework, if adopted, would quickly be invalidated by the Court of Justice for the European Union.
The same fate befell the Data Privacy Framework’s two predecessors, Safe Harbour and the Privacy Shield, and a third failure could lead to a “continuing lack of legal certainty, further costs and disruption for European citizens and businesses”.
How we got here
For a while, things were looking good for the EU–US Data Privacy Framework. The text appeared far more robust than previous transatlantic data transfer mechanisms, and President Biden gave his assurances that the US would curb government surveillance.
EU President Ursula von der Leyen and US President Joe Biden said they’d reached an agreement in principle for transatlantic data flows, with Biden signing an executive order on the matter in October.
But the agreement still had to pass through the European Parliament’s LIBE (Committee on Civil Liberties, Justice and Home Affairs), and it was not happy with the proposal. In a non-binding draft proposal, it pointed out similar concerns that derailed previous frameworks.
The LIBE advised that the European Commissioner should not proceed with the proposal “unless meaningful reforms were introduced”. And, unfortunately, the sorts of reforms it wants to see are at odds with US law.
It’s a familiar story – albeit with a twist – and it dates to 2015, when the Austrian privacy activist Max Schrems mounted a legal challenge against the Safe Harbour Agreement.
The framework, which had been in place for fifteen years, was invalidated after Schrems successfully argued that US data protection laws failed to uphold EU laws.
Things were complicated further with the announcement of the GDPR the following year. It dramatically increased the power that individuals have regarding the way their personal data is processed and used, and organisations were given two years to implement its requirements.
By contrast, the US has done almost nothing on a federal level to bolster data privacy, and it’s created a major divide between EU and US attitudes towards personal data processing.
It’s hardly a surprise, therefore, that the successor to Safe Harbour – the EU–US Privacy Shield – also met its demise. Amid even stricter EU rules, the faults were readily apparent, and it was invalidated after four years.
This time, the EU–US Data Privacy Framework didn’t even have a chance to be challenged, with EU lawmakers spotting problems in its proposal. Rather than rushing through a framework that might again be invalidated, lawmakers want to be sure that it’s fit for purpose.
All of this bodes poorly not only for the Data Privacy Framework but also for any mechanism to support transatlantic data transfers.
According to the committee, there are still no robust government surveillance safeguards or mechanisms that give EU residents’ transferred data “actual equivalence in the level of protection”.
The committee also noted that President Biden’s executive order didn’t prohibit the bulk collection of personal data by US surveillance bodies.
Moreover, the president – whether that’s Joe Biden or a successor – is free to revoke or amend executive orders. This could mean, for instance, that the US could expand the list of legitimate national security objectives, changing the way that personal data collection works.
As Neil Brown, a tech lawyer at decoded.legal told The Register when summarising the problem: “No amount of paperwork will overcome what they perceive to be aspects of US law which they consider to be incompatible with the EU GDPR.”
The ongoing wranglings between US and EU lawmakers is bad news for any organisation whose business spans both sides of the Atlantic, and that’s a lot more common than you might think.
It’s not only businesses with an international presence that are affected; there are knock-on effects throughout countless sectors. The technology industry is one prominent example, with many of the world’s most common tech services importing personal data to US-based servers.
The collapse of the Privacy Shield – and with no replacement on the horizon – has left many organisations unsure how to proceed.
Many organisations turned to SCCs (standard contractual clauses), which are effectively pre-approved templates containing rules for data protection.
However, these also came under scrutiny from Max Schrems, which resulted in a restriction of their applicability.
For an SCC to be lawful, organisations and regulators must conduct a case-by-case analysis of them to determine whether protections concerning government access to personal data meet EU standards.
Despite this, SCCs remain the most appropriate method for international data transfers, but you must be careful when using them.
If you need help understanding your requirements or creating an SCC, IT Governance can help.
Our EU–US GDPR Data Transfer Assessment and Action Plan provides the support you need to comply with the GDPR while transferring personal data outside the EU.
We will conduct a thorough assessment of your data transfer practices and requirements, offering step-by-step advice on how to complete data transfers efficiently and in accordance with the GDPR’s requirements.
A version of this article was originally published on 7 March 2023.