.svg)
The European Commission has concluded that US data protection rules are on par with the EU GDPR, paving the way for safe transatlantic data flows.
Earlier this week (December 13), the commission its draft adequacy decision on the US, concluding that the US legal framework 鈥減rovides comparable safeguards to those of the EU鈥.
The states that 鈥渢he United States ensures an adequate level of protection鈥 for personal data transferred from the EU to US companies.
鈥淭oday鈥檚 draft decision is the outcome of more than one year of intense negotiations with the US,鈥 Didier Reynders, Commissioner for Justice commented, adding that the future data-sharing framework will 鈥渉elp protect the citizens鈥 privacy while providing legal certainty for businesses鈥.
Under the new EU-US Data Privacy Framework, companies must comply with a detailed set of privacy obligations, for instance, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected.
They must also ensure continuity of protection when personal data is shared with third parties and will provide EU citizens with several redress avenues if their personal data is handled in violation of the framework.
In addition, the commission says the US legal framework provides several limitations and safeguards regarding access to data by US public authorities, particularly for criminal law enforcement and national security purposes.
These safeguards were in part established by an signed by US President Joe Biden on October 7, which set out new principles for signals intelligence gathering, and a new attorney general regulation that a Data Protection Review Court, which will handle EU citizens鈥 complaints regarding US signals intelligence activities.
According to the commission, these two measures, which were explicitly designed to address issues raised by the Court of Justice of the European Union (CJEU) when it struck down the previous data-sharing framework, successfully implemented into US law what the EU and the US agreed in principle in March.
Businesses hail the decision while privacy experts voice concerns
Many industry groups have welcomed the draft decision.
鈥淭he Data Privacy Framework is a critically important step to ensure our economies remain connected,鈥 said Marjorie Chorlins, the US Chamber of Commerce senior vice president for Europe.
Jason Oxman, president and CEO of the Information Technology Industry Council (ITI) stressed that 鈥渄ata flows underpin $7.1trn in economic relations between the EU and the United States鈥 and urged EU member states to work with EU institutions to adopt the draft adequacy decision.
According to Oxman, the draft decision now enables authorities and businesses to prepare to move forward 鈥渨ith a solid and reliable framework that protects fundamental rights of citizens, provides legal certainty for businesses, and safeguards the continuity of commercial activities involving the movement of data across borders.鈥
Meanwhile, several digital rights advocacy groups and privacy experts have raised doubts that the draft decision could not prevail.
鈥淚t's too early to celebrate,鈥 according to Rie Aleksandra Walle, privacy specialist and founder of NoTies Consulting.
鈥淭he final decision isn't expected before Spring 2023, after which it can be challenged鈥, she stressed.
Before the decision becomes final, the European Data Protection Board (EDPB) has to hand down an opinion and a committee of EU member state representatives must give the green light.
The European Parliament may also decide to examine the decision.
The EU 鈥渟eems split between those emphasising personal data protection and privacy vs. doing business with the US,鈥 according to Walle.
鈥淚t's no surprise that the Commission wants to get a deal in place, like twice before, but I'm not so sure the EDPB will agree when they are now set to do their review,鈥 she said although noting that the opinion will not be binding on the commission.
The fact that US surveillance laws have not been changed directly may raise concerns, as well as the validity of executive orders, which can be withdrawn without public knowledge, Walle explained.
Although the framework is welcome to the extent that it would provide 鈥渟ome long-awaited breathing space鈥 for US businesses, Walle said there is a risk that 鈥渨e'll be looking at a Schrems III situation with yet another round in the CJEU.鈥
noyb, the data privacy advocacy group whose honorary chair Max Schrems played a key role in the invalidation of the two previous frameworks, gave a harsh dress down to the announcement.
According to the group, the executive order 鈥渟eems to fail鈥 on both requirements raised by the CJEU since there is continuous "bulk surveillance" and a "court that is not an actual court鈥.
鈥淎s the draft decision is based on the known executive order, I can't see how this would survive a challenge before the Court of Justice,鈥 Schrems .
鈥淚t seems that the European Commission just issues similar decisions over and over again 鈥 in flagrant breach of our fundamental rights," he added.
Similar doubts have been voiced by the Electronic Privacy Information Center (EPIC) which that the executive order is a 鈥渕eaningful but insufficient step forward鈥 that may leave the door open to the misuse of personal data.
Once the final adequacy decision is adopted, companies can apply for certification from the US Department of Commerce under the new framework, which will then give them the certainty that their transatlantic data transfers are in compliance with data protection rules.
