Network framework globe

Will the draft EU-U.S. Data Privacy Framework mitigate Schrems II?

Authors

3 minute read 17 Mar 2023

The draft EU-U.S. Data Privacy Framework has been published and the European Parliament’s reaction might send it back to the drawing table.

In brief:

  • The EC launched the process to adopt a new adequacy decision (the draft EU-U.S. Data Privacy Framework) for data transfers between the EU and the U.S..
  • But the European Parliament has already issued a draft motion concluding that this draft fails to create actual equivalence with the EU Data Protection laws.
  • We can expect a final framework to take some more time. It thus remains important to rely on the general regime for data transfers.

The “Privacy Shield” provided for a legal ground for data transfer from the EU to U.S. companies. However, in 2020,  the Court of Justice of the European Union (CJEU) declared it invalid by means of the so-called ‘Schrems II case’.  

This Privacy Shield was, inter alia, declared invalid due to a lack of protection of personal data. The main reasons were:

  • Shortcomings in the U.S. laws,
  • The absence of adequate protection against the far-reaching possibilities of surveillance
  • The fact that data subject rights were not actionable before the courts against U.S. authorities.

This resulted in a legal and compliance issue for many EU-U.S. data transfers that were based on this Privacy Shield. Indeed, if no other legal ground was available, the transfer should be ceased immediately without a grace period. Of course this has a material impact and it was (and is) obviously an undesirable situation, not only due to the (legal and compliance) constraints, but also due to the uncertainty that companies need to deal with.

To tackle this, in March 2022, the European Commission and the U.S. announced an agreement on a new “Trans-Atlantic Data Privacy Framework”. This agreement should address the concerns raised by CJEU in the Schrems II decision and its purpose was to strengthen privacy and civil liberties protection from U.S. signals intelligence activities as well as to establish a redress mechanism with independent and binding authority.

On 12 December 2022, following this agreement, the European Commission published the draft of the new EU-U.S. Data Protection Framework (DPF), which would try to address the concerns raised by the CJEU in its Schrems II decision.

Draft EU-U.S. Data Privacy Framework and the first reaction of the European Parliament

PDF (4 MB)

Although still being in a draft phase, and before effectively coming into force, the further adoption process involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of EU Member States.

However, on 14 February 2023, even before the EDPB provided its opinion, the European Parliament issued a draft motion for a resolution on the adequacy of the draft framework. In short, it concludes that the EU-U.S. DPF fails to create actual equivalence with the EU in the level of data protection that it provides, because:

  1. Indiscriminate access by intelligence authorities to the content of electronic communications violates the fundamental right to confidentiality of communication, and is still not Adequately tackled,
  2. Although the principles of proportionality and necessity are introduced, their definitions are not in line with definition under EU law and will be interpreted solely in light of U.S. law and legal traditions,
  3. Bulk collection of data by signals intelligence is still not prohibited,
  4. The (draft) framework still does not apply to data accessed by public authorities via other means, for example through the U.S. Cloud Act or the U.S. Patriot Act, by commercial data purchases, or by voluntary data sharing agreements,
  5. Regarding the Data Protection Review Court (DPRC), a lot of weaknesses were pointed out that are not in line with EU expectations on adequate protection. This leads to the conclusion that the DPRC does not meet the standards of independence and impartiality as expected in the EU.

Although it is indeed a draft motion on a draft EU-U.S. DPF, we do see that the Parliament exposes sensitive issues and topics that will not be put aside that easily since they relate to the essence of Schrems II. Therefore, we might expect the process of a (final?) EU-U.S. Framework to still take some time and the current situation lacking an adequacy decision will probably remain for a while longer. In order to be ‘future-proof’, it is of essence that the new Framework withstands the arguments that took down the Privacy Shield in the Schrems II case.

In the meantime, it thus remains important to rely on the general regime applicable to transfers of personal data outside the EU without an adequacy decision:

  1. Know your transfer,
  2. Verify your transfer tools,
  3. Assess,
  4. Identify and adopt supplementary measures, and
  5. Re-evaluate.

Summary

Given the recent draft opinion of the European Parliament, chances are unfortunately real that no final solution to tackle Schrems II will be available in the very near future. Therefore, one should in the meantime continue to rely on the general regime applicable to transfers of personal data outside the EU without an adequacy decision: know your transfer, verify transfer tools, assess, supplementary measures, re-evaluate.

About this article

Authors

Related topics
Financial services
Banking and capital markets
Law
Cybersecurity

Related articles

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.