The European Data Protection Board has issued its opinion on the draft adequacy decision on the EU-US Data Privacy Framework. This Framework is the latest in a long line of updates and attempted improvements of international data transfers across the Pacific and acts as a replacement for the previous Privacy Shield.
The Framework is a consequence of a series of updates regarding international data transfers between the EU and the US. The Privacy Shield was first introduced in 2016 as a replacement for the Safe Harbour Agreement and facilitated the transfer of personal data from the UK to the US via an EU adequacy decision. An “adequacy decision” is a formal decision that recognises that a particular country or territory provides an “adequate” level of data protection.
Debates around data protection between the EU and the US date back to 2015. In the case of Schrems v Data Protection Commissioner, Mr Schrems claimed that data transfers from his native Ireland to Facebook’s servers in the US, should be suspended. The European Court of Justice (ECJ) agreed and held that data transfers under the current regulations (the Safe Harbour Agreement) did not offer a sufficient level of protection.
The Privacy Shield was then introduced to replace the Safe Harbour Agreement in 2016. In July 2020, the ECJ once again held that the Shield was not sufficient to offer the required level of data protection. Since then, the US and UK have been in ongoing conversations to implement a new data transfer framework.
The EU-US Data Privacy Framework (EDPB) was signed into effect by President Biden in October 2022. The latest step forward in this venture is the EDPB adopting Opinion 5/2023 in which it has given a mixed response to the Framework. EDPB Chair, Andrea Jelinek, has stated that “a high level of data protection is essential … while we acknowledge the improvements (of the EU-US Framework) we recommend it to address the concerns expressed”. Particular areas of concern for the EDPB include certain exemptions to the rights of data subjects and a lack of specific rules governing automated decision-making.
This latest update does not mean the Framework has been officially adopted by the European Commission. The next steps are for a committee of EU member states to give its opinion on the Framework before it is officially adopted by the EU Commission.
What does this mean for the future of data transfers between the US and the UK?
Although the Framework is currently between the EU and USit is nonetheless likely to impact the UK. The UK and US have been making significant steps to incorporate the framework into the US-UK data transfers in tandem, with an October 2022press release detailing the “positive progress” made between the US and UK. It’s still too early to say whether this framework will be a significant improvement on the previous Privacy Shield, but it will certainly act as a foundation for any future US-UK data transfer agreement.