December is well-advanced and 2022 is coming to a close. According to a quick empirical search on the internet, it is estimated that 6 of the 8 billion people living on planet Earth celebrate some cultural or religious holidays during December. For some of us in Europe, this means we are only days away from Christmas but rest assured, I will spare you the Santa-Claus-list-GDPR-consent jokes. That said, we did receive an early Christmas present. Clearly, it is not the alleged Qatar corruption scandal that is rocking the highest levels of the European Parliament.

Unless you were living under a rock this week in privacy, you saw the European Commission released its long-awaited draft adequacy decision, which underpins the EU-U.S. Data Privacy Framework. This draft decision translates the trans-Atlantic political deal reached earlier this year and captures some of the changes the U.S. started to implement following the Court of Justice of the European Union's criticisms in its "Schrems II" decision. The draft adequacy decision will go through the EU's approval process, which entails a nonbinding opinion from the European Data Protection Board on the draft decision and a vote from member states.

Before the draft decision was even published, official reactions in Europe — mainly in Germany — ranged from "let's see what this says" to "it will never be enough." In the former camp, the Hamburg data protection authority issued a statement in late November stating while changes that were contemplated would still take months to implement, it recognized "the U.S. has thus moved a long way towards the European tradition of fundamental rights," calling sweeping criticism "inappropriate" and inviting a sound examination. The Baden-Wurttemberg authority, on the other hand, was a lot more critical of the executive order U.S. President Joe Biden released in October, underlining its "considerable deficits."

This week, member of the European Parliament Birgit Sippel, a representative of the European Socialist party, commented on the "shortcomings" of the deal and announced that Parliament's Civil Liberties committee would work on a nonbinding resolution once the EDPB opinion is out. This is not surprising, nor should it be enough to rock the boat. But it is noteworthy that Sippel highlighted the draft decision referred to the designation of the EU/EEA as a "qualifying state" in the executive order, meaning that it provides "appropriate safeguards in the conduct of signals intelligence activities for United States persons' personal information that is transferred from the United States to" the EU/EEA. 

In her statement, MEP Sippel adds mischievously: "With a view to the existing and planned European surveillance legislative projects of the EU Commission, it would be interesting whether the EU would even issue an adequacy decision itself." Now that is particularly interesting given the Parliament and EU Council discreetly reached a provisional political agreement last November on rules for sharing of e-Evidence across the EU. The commission proposed these new rules in 2018 to improve judicial cooperation and mutual legal assistance process among EU member states. Finalizing this legislative package is a significant development politically because of the link with the U.S.'s Clarifying Lawful Overseas Use of Data Act: Europeans love to hate the CLOUD Act, but it is not dissimilar in spirit to the e-Evidence package. Now that the latter is done, the EU and U.S. might be able to advance negotiations on a trans-Atlantic agreement which have been stalled for quite some time. Something to watch next year.

The Europe Weekly Digest will go on hiatus for the next couple of weeks. Stay safe, enjoy life and see you in 2023!