Author: Dr. Scott Allendevaux
The EU Parliament recently sent a strong message when it passed a resolution against granting the United States an adequacy decision. This decision could be seen as a setback for the Trans-Atlantic Data Privacy Framework (TADPF), which was devised to allow secure personal data transfer between the EU and the U.S. This vote, passed with 306 votes in favour, 27 against, and a notable 231 abstaining, may cast a long shadow on the future of international data transfers.
The result highlights the EU Parliament's view that the United States' level of personal data protection is not essentially equivalent to that of the EU, despite recent attempts such as the Executive Order 14086. The Order, signed by U.S. President Joe Biden in October 2022, intended to provide new guarantees for the protection of EU citizens' personal data. However, it has been criticized for its ability to be easily revoked or amended by any sitting U.S. president, casting doubt over its long-term reliability. The resolution draws attention to the potential instability of the framework, further stoking concerns of privacy advocates.
The European Parliament's resolution also scrutinizes several other concerns: U.S. practice of bulk data collection, a perceived shortcoming of the U.S. Data Protection Review Court (DPRC), the absence of a federal data protection law in the U.S., and the general surveillance of non-U.S. persons under U.S. law.
Interestingly, the high number of abstentions, nearly 43% of the votes cast, hints at the complexity and divisiveness of this issue within the European Parliament. This may suggest that while many MEPs have reservations about the U.S. approach to data privacy, they may not entirely oppose a new agreement on data transfers that address these areas.
Shifting Focus: The European Commission Steps into the Limelight
Now, the spotlight shifts to the European Commission. Although the Parliament's resolution carries political weight, it's the Commission that has the final say on whether to grant the United States an adequacy decision. However, the Commission must also consider the European Court of Justice's rulings and the EU Charter of Fundamental Rights, or risk facing potential legal challenges.
What does this mean for companies operating in this context? With the future of the EU-U.S. Data Privacy Framework in doubt, companies will likely have to continue relying on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) for international data transfers. Although this offers a legal mechanism for data transfer between the EU and the U.S., it is a more burdensome process and could increase operational complexity for businesses.
What's Next? Potential Scenarios for Transatlantic Data Privacy
As we move forward, the complexities of navigating data privacy laws in an increasingly interconnected global digital landscape pose significant challenges. Here are some potential scenarios:
Scenario 1: Successful Negotiation of a New Framework
In this scenario, the EU and the U.S. reach a consensus on a new, robust data transfer framework, addressing all the issues raised by the European Parliament. This new agreement would include explicit safeguards to prevent mass surveillance by U.S. intelligence agencies, legal remedies for EU citizens concerning their data, and a level of data protection considered equivalent to that of the EU. However, given the history of the past frameworks and the stringent requirements of the EU, this would require significant concessions and changes from the U.S., making it a challenging scenario to realize.
Scenario 2: Continuation of Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCCs)
If an agreement isn't reached, companies may have to continue relying on SCCs and BCCs for data transfers--as they've been doing since the invalidation of the Privacy Shield. This would continue to put administrative and legal burdens on companies, making transatlantic business operations more complex and costly.
Scenario 3: U.S. Federal Data Protection Law
Another possible scenario involves the U.S. implementing its own comprehensive federal data protection law, modeled after the GDPR. This could potentially bring the U.S. data protection standards closer to those of the EU, making an adequacy decision more attainable. However, given the complex political landscape and differing views on privacy in the U.S., this is also a challenging outcome.
Scenario 4: EU Companies Rely More on Local or EU-Based Providers
Facing uncertainties in transatlantic data transfers, EU companies might increasingly turn to local or EU-based data service providers, leading to a decrease in reliance on U.S. companies for data processing. This could also spur innovation and growth within the European digital economy, though it might limit the choice and potentially increase costs for EU businesses in the short-term.
Scenario 5: Increased Fragmentation and 'Data Localization'
The lack of a stable framework could result in increased fragmentation in the global digital economy. Some companies might choose, or be forced, to store and process data locally – a concept known as data localization. This approach, however, might not only lead to increased costs for businesses but also hinder global digital innovation.
In the Meantime: What Companies Must Do Amidst the Uncertainty
As we wait for the drama of international data privacy to unfold, companies must understand current obligations under today’s existing privacy regimes. These practices include a varied toolset of pragmatic instruments such as conducting privacy impact assessments, supplier assessments, privacy assessments, transfer assessments, and security assessments. Organisations will do well to adhere to EDPB guidance such as “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with EU level of protection of personal data (adopted 18 June 2021)”.
In this uncertain landscape, the only sure thing is that the debate on international data privacy is far from over. The outcome of these discussions will shape not only EU-U.S. relations but also the global discourse on data privacy and the digital economy.
Author: Dr. Scott Allendevaux | CIPP/US, CIPT, CIPM, CISSP, HCISPP
Scott holds a doctorate in law and policy from Northeastern University and specializes in building complex data protection programs for multinational companies. He can be reached at sallen@allendevaux.com.