The European Commission should not adopt an ‘adequacy’ decision for ‘Privacy Shield 2.0’ based on how the proposed new framework is currently drafted, MEPs have said.
Privacy Shield 2.0 has been drafted with a view to helping businesses transfer personal data from the EU to the US in a way which meets the requirements of EU data protection law.
In December 2022, the European Commission published a draft ‘adequacy’ decision endorsing the framework – formally known as the EU-U.S. Data Privacy Framework. However, earlier this year, the European Data Protection Board (EDPB) raised concerns that the proposed framework does not provide for data transferred from the EU to the US to be handled in accordance with data protection standards that are essentially equivalent to those that apply in the EU, as EU law requires. MEPs have now expressed the same concern (8-page / 153KB PDF).
Both the EDPB and MEPs’ opinions are non-binding, but they increase the political pressure on the Commission to negotiate amendments to the framework with US counterparts before it designates it as providing for adequate data protection.
The MEPs said that they are concerned that the new framework, if adopted as adequate as drafted, might be successfully challenged and invalidated before the Court of Justice of the EU (CJEU). It said that would lead to “a continuing lack of legal certainty, further costs and disruption for European citizens and businesses”. Previously, the CJEU effectively invalidated the original EU-US Privacy Shield and, before that, its predecessor, the EU-US ‘safe harbour’ regime, after identifying concerns over the level of data protection provided for under those frameworks.
The MEPs criticised various elements of the proposals. This included what the MEPs described as the draft framework’s “failure to provide sufficient safeguards in the case of bulk data collection”, as well as what it highlighted would be a disparity between the rights of European citizens to seek effective judicial redress in the US in respect of their data in comparison to US citizens.
The MEPs also said that an EU citizen raising a complaint over how their data is handled in the US “would have no chance of being informed about the substantive outcome of the case”, would be unable to raise an appeal in a federal court, and would be unable to claim damages. It said the Commission should “continue negotiations with the United States to achieve the necessary changes to address these concerns”.
Other concerns raised include over a lack of clarity in how some important concepts are defined, how meaningful the executive order endorsing the framework, signed by US president Joe Biden last year, really is, and over the level of data protection provided by the privacy principles that businesses wishing to take advantage of the Privacy Shield 2.0 would have to self-certify their compliance with.
The MEPs further called on the Commission to delay adopting an adequacy decision in respect of Privacy Shield 2.0 until after all US intelligence agencies have updated their policies and practices in line with the commitments made in Biden’s executive order. Those bodies have been given until October this year to do so. Didier Reynders, European commissioner for justice, has previously said that the changes on the US side were needed before a final decision from the Commission.
Before the Commission can adopt Privacy Shield 2.0, it is obliged to consider the opinion of the EDPB as well as views expressed by MEPs. However, the Parliament’s opinion, like the EDPB’s, is not binding. The Commission approved the UK’s adequacy decision in 2021 although MEPs had expressed concerns around data processing for immigration control and mass surveillance. The Commission is also obliged to accept the binding decision of a committee made up of representatives from EU member states, which has yet to be issued.