Since the 7th October 2022, after US President Joe Biden issued Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities (EO), privacy professionals have been impatiently waiting to know the opinion of the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the “Committee”) on it. More specifically, for months, the discussion has been concerned whether the EU Committee would have considered the protection offered by the new EU-US Privacy Framework adequate to GDPR standards.
Finally, on the 14 of February 2023, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the “Committee”) urged the European Commission not to adopt adequacy based on the Framework, on the basis that it “fails to create actual equivalence” with the EU in the level of data protection that it provides.
In this article, we will try to clarify the process leading to the release of an adequacy decision, to then analyse the Committee’s decision.
Starting by exploring the process aimed at adopting an adequacy decision, it worth taking a step back and briefly mentioning what is an adequacy decision and why it is so important to grant the US one.
What is an adequacy decision?
When we talk about adequacy decisions, we move to the territory of international data transfers, regulated by Chapter V of the EU and UK GDPR. Provisions on the international transfer of data apply anytime an EU/UK controller/processor transfers data to a third country. Chapter V establishes different mechanisms to undertake this transfer in compliance with the Regulation, but the following art. 45 (1), the general and guiding rule is that “A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country (…) ensures an adequate level of protection”.
Moreover, art. 45 (2) establishes that, when assessing the level of protection, the Commission shall take account of the following elements: a) the rule of law in the assessed Country, mainly in relation to the respect of human rights and fundamental freedoms, as well as the implementation of data protection legislations; b) the existence and effective functioning of an independent supervisory authority to which the recipient of the data is subject to; c) the international commitments the concerned third Country has showed, particularly in relation to the development of persona data protection.
Hence, the European Commission has the power to determine, based on article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.
The adoption procedure of an adequacy decision is subject to the following procedure: 1) a proposal from the European Commission; 2) an opinion of the European Data Protection Board on the proposal; 3) approval from representatives of EU countries, which form the above-mentioned committee[1], and, 4) the adoption of the decision by the European Commission. Within this process, the Committee published the resolution, advising the Commission not to adopt an adequacy decision in favour of the US based on the new US-EU Privacy Framework.
Why is granting the US an adequacy decision so important?
Considering the tied political and economic relationship that the UK and the EU Countries have with the USA, organisations established in the UK or EU find themselves sending data to the US very frequently, if not daily, in some circumstances. As stated by the Whitehouse in their latest factsheets, the EU-U.S. economy is worth $7.1 trillion and depends on the transatlantic data flows to function[2].
Therefore, the lack of an adequacy decision, which consequently oblige these organisations to rely upon different international transfer mechanisms (i.e., Standard Contractual Clauses, Binding Corporate Rules or, alternatively, on data subject’s explicit consent), has significant impact. A Data Privacy EU-U.S. Framework will re-establish a fundamental legal basis for transatlantic data flows.
The current EU-US framework
It is important to remember that until 2020, the data flow between the EU and the US was regulated by a previous adequacy decision noted as the Privacy Shield. However, on the 16 July 2020, in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (‘Schrems II’), the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield on account of invasive US surveillance programmes[3]. According to the Court, the US surveillance programmes interfered with the fundamental rights to privacy, to data protection and to effective judicial protection[4]. Concluding that the US do not provide an essentially equivalent, and therefore sufficient, level of protection as the GDPR. Therefore, as previously mentioned, since then, organisations transferring data to the US have relied upon alternative mechanisms.
However, in March 2022, following intense negotiations between the lead negotiators of both parties (US and EU), EU Commission President and President Biden announced an agreement in principle on a new transatlantic data transfer framework. Furthermore, in October 2022, President Biden signed an Executive Order (EO) on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, which aims to show the US commitment to strengthening a stringent set of civil rights and privacy protections for American signals intelligence activities.
Among others, worth mentioning the following components of the framework:
- additional safeguards, including a requirement that the US signals intelligence activities only be carried out in the service of clearly specified national security goals;
- guidelines for how to handle personal data gathered as part of US signals intelligence activities and assigns legal, supervisory, and compliance personnel the duty of enforcing compliance;
- addressing the lack of access for data subjects to seek legal assistance when their personal data is intercepted in US intelligence efforts; and
- ensuring policies and practices of the Intelligence Community are in line with the EU-US Data Privacy Framework[5].
On this basis, the Commission proposed a draft adequacy decision on the EU-U.S. Data Privacy Framework, and it is about this Framework that the Committee showed concerns about the equivalence of protection offered by the US.
The Resolution of the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs
As indicated in the introduction of this article, on the 14 of February 2022, the Committee released its resolution emphasising that the proposed EU-US Data Privacy Framework fails to reach a real equivalence of protection and, therefore, urges the EU Commission no to adopt an adequacy decision.
The main arguments of the Committee relate to very basic legal guarantees that seem to lack in the US legislative system.
Starting with the principles of proportionality and necessity, key elements in data protection, the Committee notices that their definition under the US law and, more specifically, within the EO is very different from the GDPR definition. To give a practical example, the EO requires that signals intelligence be conducted proportionately to the ‘validated intelligence priority’; this appears to be a too broad interpretation of proportionality.
Moreover, the Committee pointed out that the restrictions to access data as provided by the EO do not to data accessed by public authorities via other means, for example through the US Cloud Act or the US Patriot Act, by commercial data purchases, or by voluntary data sharing agreements.
Finally, concerns have been raised around the existence of an actual independent judicial body that can ensure the respect of privacy data protection rights. The Committee highlighted that decisions made by the Data Protection Review Court (“DPRC”) will not be made public or available to complainants, and more generally that the DPRC is not sufficiently transparent, independent or impartial, in part due to the fact that it is part of the executive branch rather than the judiciary[6].
Conclusion
The gaps in the US data protection framework are evident, as well as the massive surveillance programs that certain US public authorities have the right to use indistinctly. Another evidence of this is the recent US Supreme Court decision that declined to hear a rare case challenging the NSA’s secretive “upstream surveillance” program that gathers massive data on online communications[7].
However, even though from a business perspective, the threats to adopt an adequacy decision cannot be seen in a positive light due to the difficulties and lack of clarity surrounding the alternative international transfer mechanisms, it is undoubtedly that the Committee’s decision is warmly welcomed by privacy and data protection activists, other than individuals protected by the UK/EU GDPR.
[1] Data protection: Commission starts process to adopt adequacy decision for safe data flows with the US https://ec.europa.eu/commission/presscorner/detail/en/IP_22_7631
[2] FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/
[3] C-311/18 – Data Protection Commissioner vs Facebook Ireland Limited e Maximillian Schrems
[4] Among others, the Court expressly mention the surveillance programs such as PRISM and UPSTREAM.
[5] FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/
[6] European Parliament – Committee on Civil Liberties, Justice and Home Affairs – European Parliament resolution on the adequacy of the protection afforded by the EUUS Data Privacy Framework (2023/2501(RSP))
[7] Supreme Court declines to hear Wikimedia case against NSA surveillance program | CyberScoop
