Privacy Framework draft isn't 'future-proof', say MEPs
Take 3: the data must flow. Hold on, warns Euro Parliament, not so fast
European Parliament doesn't want to be looking at yet another draft law regulating EU-US data flows, saying the proposed Privacy Framework is not "future-proof" enough.
Basically, MEPs' advice – and they voted 306-27 on this – is that they don't want the European Commission, the executive arm of the EU, to grant the US the adequacy decision that would trigger the implementation of the new deal.
You can't blame them, seeing as it's now Take 3 on an easy mechanism to regulate data processing between the US and after both Safe Harbor and Privacy Shield (Take 2, not to be confused with Privacy Framework, Take 3) were both ruled invalid.
The Parliament said it "emphasises that adequacy decisions must include clear and strict mechanisms for monitoring and review in order to ensure that decisions are future proof or repealed or amended as necessary, and that EU citizens' fundamental right to data protection is guaranteed at all times."
It also reiterated there is no federal privacy and data protection legislation in the US, therefore a "comprehensive assessment of how these principles are implemented in the US legal order might not be possible due to a lack of transparency in Data Protection Review Court procedures."
The Data Protection Review Court is a mechanism put into place by the US to give European citizens the same right of redress they'd have at home.
What about standard contractual clauses?
According to the European Commission, model clauses are currently the most used data transfer mechanism, with the body adopting modernized standard contractual clauses, or SCCs, to facilitate their use, "in light of the requirements set by the Court of justice in the Schrems II judgment."
Since Privacy Shield was struck down, companies have been forced to fall back on SCCs to cover themselves when sharing data between the EU and US. As well as being time-consuming to implement, SCCs may not be watertight.
Legal eagle Neil Brown previously told us that "where a transfer is based on an adequacy decision, there is no need for a transfer risk assessment – the destination is adequate, from an EU data protection perspective – and so the transfer is simpler and cheaper."
What's next for the Framework?
The news that MEPs advise against an adequacy decision for the US comes three months after EuroParl's Committee on Civil Liberties, Justice and Home Affairs put out a nonbinding draft opinion [PDF] arguing against signing the US data-transfer pact. At the time it said it wasn't keen on the complaints process being dealt with in total secrecy. It asked for a redress mechanism.
- Open Source Policy Summit: Where FOSS and government meet
- US executive order a long way from settling EU privacy cases
- ENISA leans into EU-based clouds with draft cybersecurity label
- Microsoft is changing how it handles device diagnostic data to keep EU sweet
Commissioner for Justice Didier Reynders, meanwhile, argued hard for the deal this week, which will make life a bit easier (and, The Reg has heard, less expensive) for businesses importing and exporting data.
More trouble heads US CSPs' way
A new draft rule making the rounds at the EU cybersecurity agency ENISA reportedly says that cloud services providers that aren't based in Europe — like AWS, Google and Microsoft — may have to join forces with a business that is operating and maintaining a cloud from the EU if they want the agency to certify them for handling sensitive data.
The new Privacy Framework took more than a year of negotiations between the US and EU, with talks led by Secretary of Commerce Gina Raimondo and Reynders respectively. Reynders also worked with US Secretary of Commerce Wilbur Ross in the wake of the July 2020 judgement by the Court of Justice of the European Union in the Schrems II case that effectively took a hatchet to the Privacy Shield framework. That data flow mechanism was killed on account of invasive US surveillance programs that made transfers of personal data on the basis of the Privacy Shield Decision illegal.
Thousands of businesses had relied on the Privacy Shield and before that Safe Harbor to protect them before Europe's top court struck them both down.
By December last year, the executive EU arm said it felt that Privacy Framework was good enough, issuing a draft decision agreeing that measures taken by the States ensure sufficient protection for personal data to be transferred from the region to US companies.
As privacy expert Peter Houpermanns wrote here at the time, smaller orgs "without much in the way of IT knowledge and resources are at particularl risk and may be caught out by this. Using services such as Gmail or Microsoft Office 365 now requires a careful re-examination of their Terms & Conditions."
The European Commission is expected to vote soon on whether to adopt its replacement.
Legal eagle Neil Brown commented that if he had to guess, he'd predict that there will be a vote, to keep momentum going, but that it will not pass.
He added: "That said, I'm not sure what 'enough' would look like here, to survive challenge, short of changes to US law which I doubt the USA is in a rush to make." ®