The process for data transfers from the EU to the US under Standard Contractual Clauses has been back in the news recently, leading many to ask: will the proposed EU-US Data Privacy Framework be approved by the Europeans soon?
A quick recap on the background: the new transfer regime was developed in March to replace the Privacy Shield program. For the program to be an effective basis for transfer, however, it has to not only launched in the US, but also formally adopted by EU Commission. The key concern has been — and what led to the downfall of the two prior programs, Safe Harbor and Privacy Shield — US governmental surveillance of non-US individuals. To address this, Biden issued Executive Order 14086 in October 2022. That order put restrictions in place over potential surveillance activities, but gives US intelligence community until October to update policies and practices to align with the order.
Where are we now?: a draft adequacy decision was proposed in December to begin the review process. However, in February the EDPB raised concerns. Last month the European Parliament echoed the EDPB’s concerns, and recommending that the EU Parliament not adopt the adequacy decision. The key concerns included:
- The US President can expand the list of national security objectives for which surveillance can be conducted without informing the EU of that expansion.
- Although there are safeguards for bulk collection, there is no provision for prior authorization, something the Parliament reminded was the concern that caused the downfall of the Privacy Shield program.
- The approach towards determining what is “necessary and proportionate” for a US surveillance activity are not in line with the EU approach.
- The order does not address information that surveillance agencies might access through existing laws like the US Patriot Act.
Additionally, while the order set forth a redress mechanism for individuals, it was not viewed a sufficiently transparent or independent by the EU Parliament. The Parliament recommended this be monitored if the Framework is in fact adopted by the EU Commission.
In recommending that the EU Commission vote against adopting the adequacy decision and continue negotiating with the US, the EU Parliament noted the October deadline for the US intelligence community. As such, it stated it could not fully assess the effectiveness of the order.
Putting It Into Practice: While we continue to wait for finalization of the new EU-US Privacy Framework, companies will need to continue to rely on alternate mechanisms for EU-US data transfers, which include supplemental protection measures.