EU-U.S. Data Privacy Framework Deemed Improved, But Still Needs Work

On the 14th of February, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs released a Draft Motion for Resolution in which it advised against the EC’s adoption of adequacy based for the EU-U.S. Data Privacy Framework. 

The objections raised by the Committee include the following: 

• Data protection and privacy as fundamental rights have to be balanced against other fundamental rights and not against political or commercial interests; 
• The U.S. President can amend the EO, making it unclear and unpredictable in its application.
• Decisions of the US Data Protection Review Court (DPRC), established within the Department of Justice will not be available to complainants, meaning these will be private.
• The DPRC is not transparent, independent, or impartial enough, since it is part of the executive branch instead of the judiciary. 
• Unlike other recipients of an adequacy decision, the U.S. does not have a federal data protection law in place. 

Their conclusions reiterated the 2021 resolution that “unless meaningful reforms [are] introduced, in particular for national security and intelligence purposes” there should be no adequacy decision adopted, because at this time “the EU-US Data Privacy Framework fails to create actual equivalence in the level of protection.”

On the 28th of February, the European Data Protection Board (EDPB) released its Opinion 5/2023 on the aforementioned, acknowledging on the one hand the significant improvements made to the proposed Data Privacy Framework (DPF) but also remarking on the points that still require attention and further clarification. 

Some of the key points are as follows:

• There are many improvements to the DPF, especially  the principles of necessity and proportionality, or the individual redress mechanisms available to data subjects of the EU. 
• The commitments by U.S. authorities to enforce the framework have been noted but they should still be monitored.
• There are some key definitions that are still missing, such as ‘agent,’ ‘processor,’ or terms related to the principles of data integrity and purpose limitation, such as ‘different purposes,’ ‘materially different’ purposes, or ‘a use that is not consistent with’ which are used in the text of the DPF “without a clear definition of these concepts therein and might lead to legal uncertainty.”
• Exceptions set for the right to access risk being too broad, in the EDPB’s opinion, which entails that further guarantees are necessary for the transfer of data of data subjects in the EU as well as additional safeguards as concerns automated decision making.
• The DPF lacks a requirement for prior authorization for bulk collection of data by an independent authority. In this context, safeguards may be insufficient.
• The new redress mechanisms are a positive step towards evolution, especially in light of the DPRC’s offering reinforced guarantees, however there is a need for further clarification on aspects such as judges’ access to information. 
• A general use of standard responses by the DPRC might fail to account for the balance required between data subject’s rights and issues of national security.
• The effectiveness of the Executive Order 14086 will largely depend on the adoption by U.S. Intelligence Agencies of policies and procedures related to its implementation. It is thus suggested that the ratification and enforcement of the DPF should be made conditional on this adoption. 

Just like with the Draft Resolution, the Opinion of the EDPB is not legally binding but it does stand to influence further scrutiny as well as the future decision made by the relevant Member State Representative who will vote on its adoption.