A shiny new data transfer Agreement between the European Union and the United States aimed at fixing costly legal uncertainty on exports of personal data is not yet in place, but the European Parliament’s civil liberties committee predicts that the incoming EU and US data privacy Framework (DPF) will not survive a legal challenge, just as than its two predecessors, Safe Harbor (RIP: October 2015); and Privacy Shield (RIP: July 2020), failed to impress the EU judges.

In a resolution approved yesterday by the LIBE Commission, with 37 votes in favour, none against and 21 abstentions, the MEPs described the DPF as an improvement which, however, is not enough. They also predicted that it is likely to be invalidated by the Court of Justice of the EU (CJEU) in the future.

development continues a draft LIBE opinionin February, he also rejected the proposal and urged the Commission to push for meaningful reforms.

In the resolution, the committee considers that the proposed agreement does not provide sufficient guarantees for EU citizens, since the framework still allows the mass collection of personal data in certain cases; does not make bulk data collection conditional on independent prior authorization; and does not provide clear rules on data retention.

MEPs are also concerned that a proposed redress mechanism, the so-called “Data Protection Review Tribunal”, violates the rights of EU citizens to access and rectify data about them, as decisions would be kept secret. . They also question their independence since the judges could be removed by the US president, who could also annul their decisions.

“In the resolution, MEPs argue that the framework for data transfers must be future-proof, and the assessment of adequacy must be based on the practical implementation of the rules,” according to a parliament. Press releasewho said the committee urged the Commission not to grant adequacy on the basis of the current regime and instead to negotiate a data transfer framework which is likely to be delayed in court.

commenting on statement After the vote, the LIBE commission rapporteur, Juan Fernando López Aguilar, said:

The new framework is certainly an improvement compared to the previous mechanisms. However, we are not there yet. We are not convinced that this new framework sufficiently protects the personal data of our citizens and therefore we doubt that it will survive the test of the CJEU. The Commission must continue to work to address the concerns raised by the European Data Protection Board (EDPB) and the Civil Liberties Committee, even if it means reopening negotiations with the US.

In February, the EDPB adopted Your opinion in the framework, expressing the agreement as an enhancement to the Privacy Shield as well. But the influential governing body also raised a number of concerns that it recommended addressing and seeking clarification to “ensure that the adequacy decision endures.”

The LIBE committee vote is part of the general EU scrutiny process. Although it is important to note that MPs do not have an active opinion on whether or not to adopt the DPF, not even the EDPB. The last word on adequacy decisions rests solely with the Commission.

At the same time, it is obviously uncomfortable if doubts are raised within the EU about the robustness and sustainability of the planned replacement framework.

The European Parliament as a whole will also be able to express an opinion, through a future plenary session that will consider the resolution of the LIBE committee. So it will be interesting to see which way the MPs break.

The DPF is the bloc’s latest high-level offer to resolve the head-on clash between EU privacy rights and US surveillance powers by including another so-called adequacy decision to facilitate data flows between the EU and US The proposed framework builds on previous (defunct) attempts by establishing a new set of provisions intended to cover up important differences, such as a statement of “binding safeguards” to limit access by US intelligence agencies to the data, including the introduction of the concepts of necessity and proportionality; and a promise of better oversight of spy surveillance.

As noted above, a new Data Protection Review Tribunal will also be created which is supposed to add to an independent redress mechanism capable of resolving complaints from EU citizens to the level required by European judges. But that critics maintain that it is not an adequate court, in the full legal sense, so it will not pass the test with the CJEU.

One thing is clear: it’s taking a lot longer to adopt an agreement this time around now that the supply of simple adhesive bandages has run out.

The Commission reached an agreement in principle on the DPF a little over a year ago. then took about six months that the President of the United States, Joe Biden, sign an Executive Order necessary to implement the replacement. while I was almost nine months since the announcement of the agreement for the EU to reach a draft agreement (around two months after the EO). At that time, a process of review and scrutiny of the draft by other EU institutions began, which is still ongoing.

(By contrast, the EU-US Privacy Shield has accelerated since it was announced as incoming in February 2016 to officially adopted in July and in operation at the beginning of August of the same year. Then, the CJEU took a little over four years to withdraw it. So there are certainly lessons to be learned from lawmakers who act in haste and repent here.)

In April of last year, the Commission He suggested The entire Privacy Shield replacement process could be “finalized” by the end of 2022. And if finalized means adopted, that was certainly overly optimistic since it’s spring 2023 and the process continues.

Some reports have suggested that the DPF will not be adopted before the summer (Reuters cites anonymous officials suggesting it could be ready by July).

When asked about the expected date for adoption, a Commission spokesperson told TechCrunch that it cannot provide a precise timeline as the process involves multiple stakeholders.

It also stipulated that it is “carefully” considering the EDPB’s opinion and working to address their comments and requests for clarification before moving on to the next phase of the adoption process, which will involve seeking approval from a committee of representatives of EDPB member states. EU.

The Commission will clearly want to avoid the egg in the face of a third strike, which probably explains why adoption is taking longer than expected. And why he is careful to avoid being accused of ignoring the concerns of the EDPB and others.

The EU-US data. US of Meta flow in the frame

While the intricacies of EU comitology may seem like an extremely dry topic, there is a very tangible consequence associated with the adoption of the DPF. That’s because tech giant Meta, which owns Facebook and Instagram, is facing a data stop order that could force it to halt its exports of user data from the EU. And since Facebook is not federated, he could be forced to shut down the service to EU users to comply with the order.

Ireland’s data watchdog issued a preliminary order to this end in fall 2020. After which, Meta was granted a stay and also applied for a judicial review, which she managed to delay the process for a while. But she ran out of steam in that particular legal challenge in May 2021. And then a revised draft decision was issued in February 2022.

The original challenge to EU-US data flows. Meta’s US relies on the same central issue of US surveillance versus EU privacy, but the complaint actually dates back to the year of the Snowden revelations. So there’s been about a decade of regulations on this issue and there’s still no final decision.

However, an end is, theoretically, finally in sight.

yesterday he edpb confirmed that it has made a binding decision on the matter, meaning Meta’s main EU DPA, the Irish Data Protection Commission (DPC), must issue a final decision within a month. So in the middle of May.

Last summer the social media giant narrowly avoided an earlier outage scenario when EU data protection authorities disagreed with the DPC’s draft decision, kicking off a dispute resolution process built into the General Data Protection Regulation (GDPR) that eventually led the EDPB to have to intervene and make a binding decision.

We don’t yet know what the decision says, but since the preliminary order was for a stay, it seems unlikely that the Board will reach a radically different result. AND With this tortuous GDPR enforcement process coming to an end, the question now is what will come first: An order to Meta to shut down its EU-US data flows? USA, or the adoption of the EU-US DPF. USA?

The latter scenario, of course, would provide a new avenue of escape for Meta to use to avoid a stop order.

Although, if the DPF arrives before the final order from the DPC, it is the same scenario: the company will take advantage of the high-level framework to renew its claim to be fully compliant with EU rules and go back down the road (probably for many More years).

But even if an order comes first for Meta to suspend its data streams, the company will surely dedicate all its local lawyers to finding new ways to hold the knife back. An appeal of any regulatory order to stop the export of user data from the EU is safe. You can also try to stay the execution pending the outcome of your appeal. Although it is not certain that the courts will allow it.

However, there is also another possibility. The DPC’s final decision could provide Meta with a period of time to shut down the data streams, say two or three months, which could give it enough time for the DPF to be adopted, allowing it to restart its legal basis using the new frame. and avoid the threat of a shutdown once again.

Last month, DPC Commissioner Helen Dixon admitted Reuters the timeline was “coming to the end”.

Privacy watchers will no doubt be looking at this one closely to see if Meta faces a final reckoning over data transfers for finally, for a long time. Or if he clings to another way to continue to confront regulators and lawmakers.