There is a "new way forward" for post-Brexit arrangements and relations. Fitting, perhaps, that this week’s "View from Brussels" comes, in fact, from London — just a few miles, or kilometers, away from where the Windsor Framework was inked by the U.K. Prime Minister and the President of the European Commission. Readers may be reassured to know the transfer of authorship of this weekly column is both temporary and beyond the scope of the Windsor Framework. Normal service from Isabelle returns next week.
There is no doubt the European Data Protection Board is the engine room of data protection in Brussels. Still hot from last week’s activity, the EDPB engine purred again this week. Its 54-page opinion on the European Commission’s draft adequacy decision for the EU-US Data Privacy Framework is an important green light from the EU data protection regulators. The opinion is as good as negotiators on both sides of the Atlantic could have hoped for. The headline — which welcomed "improvements under the EU-U.S. Data Privacy Framework, but concerns remain" — paves the way for the next stages in the procedure. The EDPB’s concerns, requests for clarification and requests for close monitoring of the arrangement reflect the sensitive, novel and “significant” reforms currently being implemented by the U.S. government that seek to address various issues identified by the Court of Justice of the European Union in "Schrems II."
Next up in the procedure is further scrutiny by European Parliament, likely culminating in a nonbinding vote of the plenary. For example, in 2021 the European Parliament rejected the EU’s draft adequacy decision for the U.K., which was then adopted a month later. Member states representatives will then assemble to vote on the draft, with at least 15 out of the 27 needing to approve the draft before it is formally adopted by the College of Commissioners.
As the adequacy procedure marches on, many will be watching a parallel track of potentially consequential importance to the transatlantic data transfers equation. That other track involves a dispute about Facebook’s use of standard contractual clauses to transfer EU data to the U.S. The dispute is currently with the EDPB, which is preparing a binding decision on the matter. The decision, due mid-April, will bind Ireland's Data Protection Commission to issue its own decision to the parties by mid-May. I unpacked how such decisions are reached by the EDPB in my most recent article on the one stop shop. While the facts of the dispute before the EDPB pertain to Facebook’s historic use of the 2010 SCCs, not the 2021 version required of EU data exporters today, and relevant U.S. laws and practices as they existed in 2015, when the legal challenge was reformulated, the timing and nature of the ruling could complexify the transatlantic data transfer equation.
Many privacy professionals and economic operators will be eager to see the new adequacy arrangement get over the line soon. Many too — especially in the EU institutions — are quickly becoming proficient, if not expert, in matters of relevant U.S. law and practice. Below are some articles from the world of academia on the new U.S. laws and practices that I, as a European, have found instructive:
- The Jurisdiction of the New Data Protection Review Court by Paul Rosenzweig.
- “Without Confirming or Denying”: Opaque Notification and National Security Redress by Alex Joel.
- The redress mechanism in the Privacy Shield successor: On the independence and effective powers of the DPRC by Ken Prop, Peter Swire and Théodore Christakis.
- And, of course, there’s plenty more on the IAPP’s Resource Center for the EU-US Data Privacy Framework.
Beyond the world of transfers, but sticking with the continent of Europe, I’m looking at:
- The process behind the EDPB’s coordinated enforcement framework, ahead of the coordinated enforcement on the appointment and role of the data protection officers that starts in a couple of weeks.
- The EU Council’s compromise text on the Cyber Resilience Act.
- How EU policymakers have adtech in their sights.
- The incredible program for next week’s Data Protection Intensive: UK 2023, which is packed with incredible speakers and content, and coincides with the release of the UK General Data Protection Regulation reform proposals.
Yours, transferring out.