EU Data Protection Board Casts Doubt on Privacy FrameworkEDPB Chair Jelinek Says Agreement for EU-US Data Flows Raises 'Privacy Concerns'
The European agency responsible for overseeing consistent application of privacy law on the continent says it has reservations about the legal framework underpinning commercial trans-Atlantic data flows as the framework moves toward formal acceptance by the European Commission.
Europe's executive body in December adopted a draft adequacy decision paving the way for formal ratification of a pact dubbed the EU-U.S. Data Privacy Framework. The framework is the outcome of nearly two years of negotiations between Brussels and Washington, instigated by a Court of Justice of the European Union 2020 decision invalidating Privacy Shield, the legal mechanism underpinning trans-Atlantic commercial data flows since mid-2016.
Even its proponents acknowledge that, if finalized, the framework will come under a possibly successful legal challenge from European privacy advocates (see: EU-US Data Privacy Framework in Activist's Crosshairs).
The European Data Protection Board on Tuesday published an analysis of the framework, lauding "substantial improvements" but simultaneously expressing "concerns" and requesting "clarifications on several points."
The concerns include "the absence of key definitions," the broad exemption from framework principles of publicly available information and "the lack of specific rules on automated decision-making and profiling."
"Overall, the EDPB welcomes the Data Protection Framework, but we have identified several privacy concerns," EDPB Chair Andrea Jelinek told a European Union parliamentary committee hearing on Wednesday. "The EDPB recommends that the commission assess these updated policies and procedures before its implementation."
Responding to the agency's observations, EU Justice Commissioner Didier Reynders tweeted on Tuesday that his agency will "carefully analyze" the privacy agency's recommendations. He also said the commission is waiting for the positions of the European Parliament and EU Council. Close observers in Brussels expect the Parliament to vote on a resolution urging the commission not to approve the framework, although the disapprobation would not be binding.
Members of the European Parliament's Committee on Civil Liberties, Justice and Home Affairs earlier urged the European Commission not to adopt an adequacy ruling, arguing that the framework "fails to create actual equivalence in protection" with the EU's General Data Protection Regulation.