As we step into the summer of 2023, the world’s eyes are on the European Commission and its anticipated finalization of a data transfer pact with the United States. The hope is that this EU-US data protection framework will be fully functional by the time the heatwaves hit, promising stability and legal certainty in a realm fraught with controversy and complexity. But is this outcome truly within reach, or are we merely hoping against hope? We’ll try to give a short update of the current situation below.
Proposed agreement under heavy critique
European Union lawmakers have already sounded the alarm, urging the European Commission to reinforce the proposed data transfer pact. They point to clear shortcomings in the agreement, with missing elements on judicial independence, transparency, access to justice, and remedies being of particular concern. It is important to remember that the EU countries still need to adopt a non-binding opinion, only after which will the executive make its final decision on the pact. This indicates that there are still a few hurdles to jump before this agreement can become a reality.
Persistent conflict between EU and US law confirmed by the EDPB
The EU-US Data Privacy Framework is intended to offer a flexible alternative to the European Commission’s Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). However, history warns us to be cautious. The Privacy Shield and the Safe Harbor scheme, previously implemented for more flexible data transfers, were invalidated following the Schrems II and Schrems I decisions in 2020 and 2015 respectively. These past failures serve as a stark reminder of the potential pitfalls that lie ahead for the proposed Data Privacy Framework.
The European Data Protection Board (EDPB) has also weighed in on the issue, adopting its Opinion on the draft adequacy decision of the European Commission regarding the EU-US Data Privacy Framework. While acknowledging substantial improvements in the proposed DPF compared to the former Privacy Shield, the EDPB expressed serious reservations about the level of protection provided by the draft adequacy decision.
The EDPB pointed out specific areas of concern such as the complexity of the DPF and its lack of key definitions, which could lead to misunderstanding among data subjects and stakeholders. It highlighted the need for clear safeguards against onward transfers of data from the initial recipient and called for more clarity regarding government access to data and bulk data collection.
In the face of these significant reservations, it is difficult to see how the proposed agreement will seamlessly fit within the current legal framework of the EU and the case law of the European Court of Justice (ECJ).
Is a new agreement a realistic aim…?
To add to the uncertainty, privacy advocate Max Schrems has already expressed his reservations regarding the level of protection guaranteed by the EU-US Data Privacy Framework. Schrems has been successful in challenging previous agreements in the ECJ, and his concerns suggest that another legal challenge may be forthcoming.
In conclusion, while the European Commission’s goal of achieving a functional EU-US data transfer pact by summer 2023 is admirable, the numerous challenges and obstacles make the likelihood of achieving this aim questionable. The proposed agreement will not only need to appease lawmakers and data protection authorities but also pass the test of the ECJ’s rigorous case law. The road to a robust and legally sound EU-US data transfer pact is fraught with difficulties, and it remains to be seen whether the summer of 2023 will indeed bring about the long-awaited resolution to this complex issue.
How should businesses position themselves in this uncertain legal reality?
For American and European businesses dealing with this uncertain legal situation, it’s crucial to stay informed and be flexible. Keep an eye on the news and consult with legal counsel to understand the implications of these changes for your data transfer practices. It may be prudent to review and update your data privacy policies in light of the upcoming EU-US Data Privacy Framework. Remember, it’s always better to be proactive rather than reactive when it comes to data privacy. Don’t wait for the final decision; start preparing now.
Do you have questions about data transfers or data protection in general?
Please feel free to schedule a video call with us through the booking link on this page or send us an e-mail (info@siriuslegal.be) and we’ll be happy to get in touch with you.