The European Data Protection Board (EDPB) and the European Parliament (EP) made critical statements to the Commission’s draft adequacy decision for data transfer to the USA.

On 13 December 2022, the Commission proposed a draft adequacy decision regarding the EU-U.S. Data Privacy Framework (DPF). The DPF is designed to replace the former EU-U.S. Privacy Shield, which was declared invalid by the ECJ’s judgment in Schrems II (→ eucrim 2/2020, 98-99). The effect of the DPF would be that personal data can flow freely from the EU to the USA in the private sector. According to the Commission, an assessment of the US legal framework let conclude that the USA provides comparable safeguards to those of the EU, so that personal data can be exchanged between EU and US companies. The Commission above all took into account Executive Order 14086 on “Enhancing Safeguards for United States Signals Intelligence Activities”, signed by US President Joe Biden in October 2022 as well as regulations adopted by the US Attorney General that complemented the Order. Both acts were considered to meet the criticism voiced by the ECJ in Schrems II.

In its opinion on the draft adequacy decision of 28 February 2023, the EDPB expressed concerns and requests clarifications on several points The EDPB is an independent European umbrella body which brings together the national data protection authorities and the European Data Protection Supervisor and which has a right to scrutiny adequacy decisions pursuant to the GDPR. The EDPB welcomed substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for US intelligence gathering of data and the new redress mechanism for EU data subjects. The EDPB sees, however, still numerous shortcomings in relation to certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism. The EDPB seeks clarification on these points and would appreciate it if not only the entry into force but also the adoption of the adequacy decision were made conditional on the adoption of updated policies and procedures to implement Executive Order 14086 by all US intelligence agencies.

In an EP resolution adopted on 11 May 2023, MEPs share the concerns of the EDPB. They point out inter alia that US legislation still does not provide for independent prior authorisation for collection of bulk data and lacks an “objective criterion capable of justifying” the government interference with privacy, as required by the ECJ. In addition, the resolution notes that the US intelligence community still performs the practice of electronic mass surveillance of EU citizens. The resolution sees also existing shortcomings in the Executive Order 14086. Against this background, the EP concludes that the EU-US Data Privacy Framework fails to create essential equivalence in the level of protection. The Commission is called to continue negotiations with its US counterparts which would provide the adequate level of protection required by Union data protection law and the Charter. The Commission should also not adopt the adequacy finding “until all the recommendations made in this resolution and the EDPB opinion are fully implemented”.

It should be noted that the adequacy decision is an implementing act that is decided by the Commission itself (Art. 45 GDPR). The opinions by the EDPB and the EP are not binding for the Commission. However, they set a clear legal and political statement. A Commission official announced that the Commission may put forward a revised version of the adequacy decision before the summer break.