What's the issue?

The European Commission has been working on overhauling aspects of the EU data and cybersecurity regimes with a particular focus on access to and protection of non-personal as well as personal data, and IoT products.  More pressingly, it has also been working to resolve the issue of transfers of personal data from the EU to the USA by setting up a new framework to replace the Privacy Shield.

What's the development?

In the last few weeks we've seen progress on a number of fronts:

EU-US adequacy

At the end of February, the European Parliament's LIBE Committee refused to back the draft EU-US adequacy decision, saying the Data Protection Framework (DPF) does not provide EU citizens with a level of data protection equivalent to that in the EU.  The Committee urged the Commission to renegotiate, however, its opinion is not binding on the Commission as its part in the adoption process is limited to the right to scrutiny.   

The European Data Protection Board's views, while also non-binding, arguably carry more weight and in early March, it  adopted its Opinion on the adequate protection of personal data under the EU-US Data Privacy Framework (DPF).  In summary, the EDPB welcomes improvements as compared with the Privacy Shield, in particular, the recognition of the principles of necessity and proportionality, and the enhanced oversight and redress regime.  However, it also expresses a number of concerns, recommending the Commission seek clarification, and underlines that the effectiveness of the framework will depend on the extent to which it is followed through in practice.  In other words, the EDPB is not dismissing the DPF nor seeking to block the EU-US adequacy decision, but neither is it giving unqualified support.

General data protection aspects

The EDPB comments that the DPF Principles have not changed significantly from those under the Privacy Shield.  As a result, some of the issues of concern under the Privacy Shield remain, including those relating to the rights of data subjects, the absence of key definitions, lack of clarity around application to processors and a broad exemption for publicly available information.  The EDPB is also concerned about protections for onward transfers, and the fact that protections around automated decision-making, profiling and AI technologies tend to be sector specific.  The EDPB says in these areas, rules are needed to provide sufficient safeguards, including the right for the individual to know the logic involved, to challenge the decision, and to obtain human intervention where the decision significantly affects them.

The EDPB stresses the importance of effective oversight and enforcement and underlines the need for compliance checks.  The EDPB says it will be monitoring these aspects, and the effectiveness of redress mechanisms (many of which are the same as those in the Privacy Shield) closely, including in the context of periodic reviews.

Access to EU personal data by US public authorities

The EDPB recommends that the Executive Order 14086 (EO) be accompanied by updated policies and procedures across all US intelligence agencies.  It recommends the Commission assess these and share their assessment with the EDPB.  The EDPB says the EO represents a "significant improvement" by introducing additional safeguards and the concepts of necessity and proportionality into the US legal framework on signals intelligence.  It also finds that the proposed redress mechanism for EU citizens alleging unlawful use of their data by US public bodies, to be "significantly improved" compared with the Ombudsperson mechanism under the Privacy Shield.  However, the EDPB sees a need for further clarification on questions in particular relating to "temporary bulk collection" and to the further retention and dissemination of bulk collection data. 

The EDPB's focus is on the holistic approach to the safeguards and it raises a number of concerns about particular aspects of the US bulk data collection regime under FISA and Executive Order 12333.  It also raises concerns about the practical functioning of the Data Protection Review Court which, it says, will require monitoring by the Commission to ensure it is not routinely dismissing claims.

Review and monitoring

The EDPB concludes that the EO provides "substantial improvements" compared to the previous framework but asks for its concerns to be addressed and for the Commission to provide requested clarifications and ongoing monitoring of the implementation of the DPF and the safeguards it provides.  It also says it expects the Commission to stick to its commitment to suspend, repeal or amend the adequacy decision on grounds of urgency if necessary.

Full steam ahead?

Despite expressing some concerns, the EDPB's Opinion does not contain anything likely to hold up a new EU-US adequacy decision and, notwithstanding the disapproval of the European Parliament's LIBE Committee, we should see the decision approved shortly.

Data Act

The European Parliament has agreed its negotiating position on the EC's draft Data Act.  Suggested amendments include:

• clarifications of the types of data in scope
• strengthening trade secret protection for data holders
• clarifying provisions on switching cloud providers
• extending the fairness check which prevents large companies from imposing unfair contractual terms to all companies regardless of size
• clarifying what constitutes a public emergency allowing public bodies to request access to privately held data and allowing for fair remuneration for that access
• giving the European Data Innovation Board a role in coordinating enforcement of the Regulation.

Once the Council agrees its final position, trilogues will begin.

Cyber Resilience Act

A new compromise text for the Cyber Resilience Act has reportedly been published by the Swedish presidency of the EU Council.  Suggestions are that proposed changes are not particularly significant and that some of the more controversial elements have not yet been amended.  There is clarification on interaction with the AI Act and General Product Safety Regulation, a new article mandating Member States to put appeal procedures in place for product manufacturers to challenge the decision of accredited auditors, and clarification around categories of penalties.

European Commission to propose legislation to harmonise GDPR enforcement

The European Commission published a call for evidence at the end of February regarding its plans to introduce legislation to further harmonise GDPR enforcement by national regulators.  The legislation is likely to harmonise administrative procedures and cooperation mechanisms for cross-border cases. The call closes on 24 March. 

What does this mean for you?

These are EU developments but, once concluded, they are likely to have a significant impact on relevant cross-border UK businesses which will also have to get to grips with a new UK data protection regime as we discuss here and other parallel initiatives to EU proposals.  The UK is also progressing a data bridge to facilitate frictionless data flows between the UK and the US, and will be keen to keep up with if not outrun the EU in reaching an adequacy arrangement with the US.