The next domino in the finalization of the proposed EU-U.S. Data Privacy Framework has fallen. The European Commission published its draft adequacy decision recognizing the essential equivalence of U.S. data protection standards, paving the way for finalization of the DPF and unimpeded data flows.
The U.S. executive order committing to an overhaul of foreign intelligence agencies' access to personal data and creation of a new redress system for EU citizens spurred the preliminary adequacy acknowledgement. The draft decision will now move through a robust stakeholder consultation that includes examination and nonbinding opinions from the European Data Protection Board, the Council of the European Union and European Parliament.
"Our analysis has showed that strong safeguards are now in place in the U.S. to allow the safe transfers of personal data between the two sides of the Atlantic," European Commissioner for Justice Didier Reynders said in a statement. "The future Framework will help protect the citizens’ privacy, while providing legal certainty for businesses."
European Commission Vice President for Values and Transparency Věra Jourová added in a statement the proposed DPF is a "necessity, not a luxury in the increasingly digitalised and data driven economy."
German Member of European Parliament Birgit Sippel welcomed the decision, noting the "political will" to reach an agreement "was evident" and "the task now is to carefully and thoroughly analyze the results of these efforts."
EU officials previously indicated the adequacy process may take up to six months based on prior negotiations with other countries. Reynders reiterated that timeframe for finalization during a recent appearance on Politico Live before the draft decision was released, but said the release of the draft decision actually marks the beginning of that six-month timeline.
"I will say before next summer it must be possible to go to the end of the process. … It means we will maybe have a decision before July of next year," Reynders said. He also made clear a July 2023 finalization is in line with the time he thought it would take to arrive at a new EU-U.S. data transfer agreement after the Court of Justice of the European Union struck down the EU-U.S. Privacy Shield in July 2020.
"We took the time. It's not just a decision to adopt very quickly," Reynders said. "It's a situation we have discussed at length with our counterpart. The main issue was to better understand on both sides that we need to implement the requirements of the (CJEU)."
A potential challenge of the proposed DPF before the CJEU is looming. NOYB Honory Chairman Max Schrems vowed to raise a "Schrems III" case over a range of concerns — language for "necessity and proportionality" with data access and legitimacy of the U.S. Department of Justice's Data Protection Review Court among them.
On the draft decision, Schrems said in a statement he "can't see how this would survive a challenge" and the commission "just issues similar decisions over and over again — in flagrant breach of our fundamental rights."
Reynders said the proposed DPF will undoubtedly need to go back before the CJEU to "prove we have a solid, robust base." On the prospects of the CJEU approval, Reynders gave the proposed DPF a "seven or eight" out of 10 chance to stand.
Notably, the draft decision does not include a full explanation for how the EU and the U.S. arrived at equivalence on the language around proportionality. Onlookers like Schrems have pointed out a disconnect between the two sides on the language and how it won't be viewed positively in a looming CJEU challenge.
Osborne Clarke Partner Julia Kaufmann, CIPP/E, read the draft and saw an effort by the European Commission to explain the U.S. treatment of and work involving proportionality, but ultimately, it lacks more expansive detail on how it draws equivalence to EU standards.
"We in the EU must acknowledge that the U.S. has a different legal system, but the U.S. is still a democratic society," Kaufmann said. "The U.S. is definitely trying to reach out to the EU and show that they want to address the deficiencies identified by the CJEU to continue commerce. … And the European Commission has taken that into account by looking behind the curtain of the U.S. legal system and trying to understand how the U.S. can address those deficiencies within the boundaries given by their legal framework."
Kaufmann added the way the Commission spelled out the new two-part redress system in its draft speaks to "aspects that have certainly been missed when this approach was criticized in the past." More specifically, the streamlined complaints process and general accessibility to redress through a national data protection authority are among the overlooked positives.
The draft also includes language allowing the adequacy decision to be revoked if ongoing monitoring by the European Commission or EU member states reveals any changes to the "legal framework and actual practice for the processing of personal data as assessed in this decision."
European Commission Head of International Data Flows and Protection Bruno Gencarelli was asked on Politico Live whether EU-U.S. adequacy would be examined on a rolling basis or have a hard sunset like the one placed on the EU-U.K. agreement. He said the EU-U.K. situation was "slightly different" given the U.K.'s departure from the General Data Protection Regulation standards while noting the U.S. and U.K. adequacy processes have "two starting points that are quite distinct from each other."
If you want to comment on this post, you need to login.