Report raises concerns around the latest EU-US Data Privacy Framework

Published on

A black corridor with a neon sign at the bottom with a large '?'.

new report from the Centre for European Policy Studies (CEPS), raises significant concerns about the latest EU-US Data Privacy Framework.

The study from University of Liverpool’s Professor Valsamis Mitsilegas, Dean of the School of Law and Social Justice, in partnership with Professor Franziska Boehm, FIZ Karlsruhe and Karlsruhe Institute of Technology, and Dr Sergio Carrera, CEPS, investigated the EU-US data transfers and their impact on the rule of law, rights, and trust.

The research found that despite some recent improvements, the US’ latest offering of protection to EU citizens and residents when it comes to the transfer of their data, did not meet the essential standards required by EU law. This leaves transatlantic data transfers in a state of legal uncertainty.

Previous efforts to negotiate – as demonstrated in Schrems I (2015) and Schrems II (2020) – have been unsuccessful as the third framework in the US still does not fully meet the EU's data protection standards. This has also raised concerns on the levels of surveillance allowed in the US, as the latest framework has left it unclear whether this will lead to any meaningful change in how US intelligence authorities monitor EU citizens.

Researchers recommend that the European Commission should ensure the strict application of EU legal benchmarks when assessing the adequacy of third-country data protection arrangements, avoiding considerations of geopolitical or international trade interests.

It is important to note that any person in the European Union has the right to challenge how their data is handled, even if their data is sent outside the EU. They can take their case to independent courts, including the European Court of Human Rights.

Therefore, researchers also recommend EU policies on international data transfers should be established in clear compliance with EU Treaty principles to guarantee legal certainty and trust.

So, with the latest EU-US Data Privacy Framework now operational, its future depends on whether it withstands scrutiny by the Court of Justice of the European Union (CJEU). Should a new case challenge its lawfulness, a positive outcome would be that the CJEU will ensure that EU citizens and residents receive the same rights and remedies they are entitled to in the EU, alleviating concerns of constant surveillance.

Speaking of the findings, Professor Valsamis Mitsilegas, Dean of the School of Law and Social Justice, shared:
“The report is a timely reminder of the need for the EU to uphold its human rights benchmarks in its external action. This is particularly important in the case of the transfer to third states of a wide range of personal data stemming from the everyday life of citizens.”

This report comes at a time of heightening scrutiny over international data transfers, particularly with the increased importance of digital trade.

As the European Commission continues to navigate the complex landscape of international data transfers, this report serves as a critical reminder of the importance of maintaining high standards of data protection and the rule of law in transatlantic relations.

Access the report: Reconstitutionalising privacy - EU-US data transfers and their impact on the rule of law, rights and trust


Related content