Lawmakers in the European Parliament have urged the European Commission not to issue the "adequacy decision" needed for the EU-US Data Privacy Framework (DPF) to officially become the pipeline for data to freely flow from the EU to the States.
It almost goes without saying that the current operation of the technology sector in Europe would not work without US tech companies' services – so data transfers to these American corporations cannot practicably be avoided. However, European rules around privacy, data collection, and data subjects' rights are considerably stronger than those in America, hence the need for rules of engagement that make US companies' treatment of EU data as good as what they'd get at home.
The DPF was announced in March last year and is meant to address concerns raised by the EU's Court of Justice in Schrems II, a 2020 case that struck down the so-called Privacy Shield data protection arrangements between the political bloc and the US.
EU president Ursula von der Leyen and US president Joe Biden said they'd reached an agreement in principle on the framework for transatlantic data flows at the time, with Biden signing an executive order (EO) on the matter in October last year.
But the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) is still not happy with what it sees, and has put out a nonbinding draft opinion [PDF] on how adequate it thinks the protection given by the proposed cross-border data rules is. In short: it ain't.
According to the motion filed this week, the latest Data Privacy Framework still falls far short of the General Data Protection Regulation standard EU residents could expect from companies that are regulated within the bloc. The Committee says that "unless meaningful reforms were introduced," the Commish shouldn't proceed. Tech lawyer Neil Brown of decoded.legal told The Register that "In other words... no amount of paperwork will overcome what they perceive to be aspects of US law which they consider to be incompatible with the EU GDPR."
According to the European Commission, model clauses are currently the most used data transfer mechanism, with the Commish adopting modernized standard contractual clauses, or SCCs, to facilitate their use, "in light of the requirements set by the Court of justice in the Schrems II judgment."
Since Privacy Shield was struck down, companies have been forced to fall back on SCCs to cover themselves when sharing data between the EU and US. As well as being time-consuming to implement, SCCs may not be watertight.
Legal eagle Neil Brown said that while businesses can opt to use these, "when one uses the SCCs for transfers to the USA (or elsewhere), one is still required to undertake a transfer risk assessment. Doing them properly is complicated and expensive.
"And some will argue that there is simply nothing which one can do, if personal data need to be accessed from or transferred to the USA, to protect those personal data from the risks identified in Schrems II, such that any transfer risk assessment is either doomed to fail or, if it 'passes', must be incorrect."
He added that conversely, "where a transfer is based on an adequacy decision, there is no need for a transfer risk assessment – the destination is adequate, from an EU data protection perspective – and so the transfer is simpler and cheaper."
LIBE said the rejigged rules did not have the robust government surveillance safeguards and consumer redress mechanisms that it would expect in order "to create actual equivalence in the level of protection" provided to EU residents' transferred data.
Among other issues, it pointed to:
The committee also pointed out that "unlike all other third countries that have received an adequacy decision under the GDPR, the US still does not have a federal data protection law." That matters when principles around any "limits" imposed on US SigInt work "will be interpreted solely in the light of US law and legal traditions," it said.
The DPF has provided for a several redress mechanisms. Among other things, Europeans can lodge grievances with the Data Protection Review Court (DPRC) if they believe their personal data was collected in violation of applicable US law.
However, the committee found, the "redress process provided by the EO is based on secrecy and does not set up an obligation to notify the complainant that their personal data has been processed, thereby undermining their right to access or rectify their data."
It also found the DPRC didn't meet the standards of impartiality or independence under the EU's Fundamental Rights charter as the "complainant will be represented by a 'special advocate' designated by the DPRC, for whom there is no requirement of independence" and also that there was route for federal appeal for the data subject.
If it passes all the European Union hurdles, an adequacy decision for the DPF could be expected around July 2023. Once it is adopted, European businesses will be able to transfer personal data to "participating companies in the United States, without having to put in place additional data protection safeguards."
But is that going to happen? Brown told The Register: "My feeling ... is that there would be scepticism of any US-issued edict, which failed to prohibit bulk collection (and such a prohibition seems highly unlikely), or which permits secret interpretations / expansions of the law." ®
Source: The register