On 14 February 2023, a committee of the European Parliament issued a draft opinion (EP Opinion) that advised against the adoption of the EU-U.S. draft adequacy decision (DPF Adequacy Decision). This is the first formal opinion issued by EU public authorities regarding the adoption of the DPF Adequacy Decision, and this negative start may pave the way for further obstacles or challenges to the free flow of personal data from the EU to the U.S.
Since the EU-U.S. Privacy Shield framework was invalidated by the Court of Justice of the European Union (CJEU) in July 2020 in the landmark Schrems II case, there has been considerable uncertainty regarding future frameworks to permit EU to U.S. data transfers. Last year, President Biden issued Executive Order 14086 (Executive Order) which sets out key commitments of the U.S. to a new privacy framework, the Transatlantic Data Privacy Framework, and these commitments were subsequently acknowledged in the European Commission’s DPF Adequacy Decision (for more information, see our client alert). However, privacy activists have criticized the new framework, with the ongoing extent of U.S. government surveillance over signals intelligence (SIGINT), and the effectiveness of the proposed redress and oversight mechanisms, being particular causes of concern.
Such concerns were shared in the draft opinion issued by the European Parliament Committee on Civil Liberties, Justice and Home Affairs (a committee of the European Parliament that is responsible for protecting civil liberties and human rights) (EP Committee). The EP Committee concluded that the Transatlantic Data Privacy Framework failed to adequately protect personal data subject to EU data protection law and, on this basis, urged the European Commission not to adopt the DPF Adequacy Decision in its current form.
Key issues identified
The EP Committee noted that the Executive Order is "not clear, precise or foreseeable in its application" as it can be amended at any time by the U.S. President. Among other issues, the EP Committee identified several further key shortcomings of the Transatlantic Data Privacy Framework:
- Bulk data collection by U.S. SIGINT and public authorities is still permitted. Although the Executive Order permitted the bulk collection of SIGINT data for a narrower subset of legitimate national security and intelligence objectives, the EP Committee noted that the bulk collection of data was nevertheless still permitted, and that this list of objectives may be expanded by the U.S. President without communication to the public. The Executive Order also addressed criticisms regarding bulk collection under Executive Order 12333 and Foreign Intelligence Surveillance Act Section 702; however, the EP Committee noted that data accessed by U.S. public authorities via other means such as the U.S. Cloud Act, the U.S. Patriot Act, by commercial data purchases or by voluntary data sharing agreements were not addressed.
- Concepts of "proportionality" and "necessity" are not aligned with their definition under EU law. The Executive Order also restricted the bulk collection of SIGINT data to that which is proportionate, balancing the importance of intelligence against the impact on privacy and civil liberties of individuals based both inside and outside of the U.S. However, the EP Committee noted that the Executive Order also stated that such SIGINT activities will be conducted in a manner proportionate to the "validated intelligence priority" which appeared to be a considerably broader concept than the definition and interpretation of "proportionality" and "necessity" under EU law.
- The redress mechanisms provided by the Executive Order does not meet the standard of transparency, independence and impartiality required under EU law. The Executive Order introduced a two-layer redress mechanism whereby individuals in the EU will firstly be able to lodge a complaint against SIGINT agencies with the Civil Liberties Protection Officer, and may then appeal a decision to the Data Protection Review Court (DPRC). The EP Committee noted that the redress process provided by the Executive Order is not fully transparent as DPRC decisions are classified, and there is no obligation to notify complainants that their personal data has been processed; this lack of transparency undermined the rights of individuals to access or rectify their personal data as required under EU data protection law. The EP Committee also noted that the DPRC is to be set up as an executive body within the U.S. government, instead of the judiciary, and that complainants would be represented by a "special advocate" designated by the DPRC for whom there is no requirement of independence. The Executive Order also did not provide avenues for complainants to appeal DPRC decisions to a U.S. federal court and did not provide any possibility for complainants to claim damages. Together, the EP Committee determined that this issues undermined the independence and impartiality of the DPRC.
In addition, the EP Committee noted that unlike all other countries that have received an EU adequacy decision to date, the U.S. does not have a federal data protection law. The EP Committee further expressed concerns that the DPF Adequacy Decision did not contain a sunset clause that would cause the DPF Adequacy Decision to automatically expire without a review and renewal by the European Commission (for more information on the UK adequacy decision, see our previous client alert here); in contrast, the inclusion of such a sunset clause was welcomed by European Parliament in its opinion regarding the UK adequacy decision, as a mechanism to ensure continued compliance by the UK.
Commentary and next steps
The EP Opinion presents a potential obstacle to the DPF Adequacy Decision's adoption process that some observers had expected to be relatively straightforward, as the Executive Order was specifically designed to address the concerns raised in Schrems II. Although non-binding, the EP Opinion is influential and is designed to be considered by the European Commission when determining whether to finalize and adopt the DPF adequacy decision. It remains to be seen whether the finalized EP Opinion, which is expected to be filed and passed in European Parliament by April 2023, will contain the same substantive findings.
Three outcomes are possible:
- the European Commission may proceed regardless and adopt the DPF Adequacy Decision;
- the DPF Decision may be further delayed for the EU and U.S. to consider and address the points raised by the EP Committee; or
- the European Commission may decide not to adopt the DPF Adequacy Decision.
It is unlikely that the EP Opinion will, on its own, cause the European Commission to elect not to adopt the DPF Adequacy Decision, and it is more likely that further negotiations will result – indeed this appears to be the intention of the EP Committee, which concluded EP Opinion by calling on the European Commission to "continue negotiations with its U.S. counterparts" to create a mechanism that ensures an adequate level of protection required under EU data protection law. It is noteworthy that the European Parliament similarly criticized the EU-U.S. Privacy Shield Framework in 2018 and called for the suspension of the Privacy Shield Framework unless the U.S. government complies with its requirements; however, the Privacy Shield Framework remained operational until its invalidation in Schrems II.
Should the DPF Adequacy Decision be adopted, it is likely that the DPF Adequacy Decision will be subject to legal challenges, particularly from privacy activists. The EP Opinion further justifies future legal challenges, particularly if the European Commission proceeds and adopts the DPF Adequacy Decision regardless of the EP Opinion's findings.
The European Data Protection Board, the independent EU body tasked with applying the GDPR consistently among EU member states (EDPB), is also expected to issue its own non-binding opinion in the coming weeks; it remains uncertain as to whether it will take a similar standpoint to the EP Opinion. If the EDPB's opinion similarly advises the European Commission against the adoption of the DPF Adequacy Decision, this may also present further considerations and challenges to its final adoption.