On 10 July 2023, after years of uncertainty and tense negotiations, the European Commission finally announced the adoption of an adequacy decision concerning the
EU-US Trans-Atlantic Data Privacy Framework (TADPF). With this decision, the Commission makes the assessment that the US offers a comparable level of protection of personal data to that of the European Union, and hence that personal data can be transferred from the EU to US companies participating in the EU-U.S. Data Privacy Framework.
This decision breaks a three-year deadlock on transatlantic data flows since the ‘Schrems II’ European Court of Justice ruling that in 2020 brought down the
EU-US Privacy Shield agreement, which itself was replacing the prior
Safe Harbour agreement on data flows invalidated by the ‘Schrems I’ ruling in 2015.
Both complaints were lodged by Austrian
privacy activist Max Schrems, who successfully challenged – and thus brought to a halt – the transfer of EU data to the US by pointing, in the case of ‘Schrems II’, to the mishandling of personal data by Facebook, and, in the case of ‘Schrems I’, to the interference of US surveillance programmes with the fundamental privacy right of EU data subjects.
The EU-US Data Privacy Framework provides EU citizens with new safeguards against misuse of their data and the right to obtain access to and correct or delete data stored in the US. In case of mishandled data, they will have the possibility to obtain redress by lodging a complaint with their national Data Protection Authority (DPA), which in turn can appeal to a Data Protection Review Court (DPRC) with the powers to investigate and impose binding remedies.
The news of the adequacy decision will be
welcomed by businesses looking for legal certainty for transatlantic data transfers. But privacy advocates were quick to voice their
scepticism with regard to the DPRC, its independence and its functioning. The DPRC will be composed of members from outside of the US government, but the appointment process might not be sufficiently robust to ensure full independence and hence fair and transparent judgments. Additional worries concern the level of safeguards and possibly diverging EU-US interpretations of the proportionality criteria that limit access to EU citizens’ data by US intelligence authorities.
Despite these weaknesses, the newly brokered TADPF comes at a significant time for the EU-US partnership and represents a first step to bridge the Atlantic data gap in a moment marked by geopolitical and geoeconomic challenges. Therefore, although privacy concerns and insatisfactions raised by activists on the EU’s side of the Atlantic are valid, we should not jump the gun and wait for the Commission’s first review of the decision – which is due for July 2024 – before drawing conclusions on the TADPF. After all, a third sparring match in front of the European Court of Justice and a ‘Schrems III’ scenario will only bring about more uncertainty for EU data subjects.
Giulia Torchio is a Programme Assistant in the Europe's Political Economy programme at the European Policy Centre.
The support the European Policy Centre receives for its ongoing operations, or specifically for its publications, does not constitute an endorsement of their contents, which reflect the views of the authors only. Supporters and partners cannot be held responsible for any use that may be made of the information contained therein.