Does current US policy offer a level of privacy and rule of law protections that are essentially equivalent to those required in EU law so that transatlantic data transfers are lawful? And can the new EU-US Data Privacy Framework (DPF) be expected to comprehensively satisfy a legal test by the Court of Justice of the European Union?
This new CEPS Task Force Report implements a legal evaluation or ‘fitness check’ of the DPF and the European Commission’s 2023 Adequacy Decision, comparing them to the preceding ‘Safe Harbor’ (2000) and ‘Privacy Shield’ (2016) arrangements. Both were invalided by the Court of Justice as they ran contrary to EU Treaties principles and rights. In examining the new DPF, the report’s assessment pays particular attention to its impacts on legal certainty, privacy, the rule of law, and trust between policymakers, regulators, companies and data citizens.
The report concludes that the current DPF framework still generates profound legal uncertainty. Despite noticeable and welcomed improvements under Executive Order (EO) 14086, US policy still does not fully satisfy the essential equivalence test and the Court of Justice’s benchmarks.
The report concludes with a set of policy recommendations that aim to inform EU policy and EU-US transatlantic relations on data transfers.
Franziska Boehm is a law Professor at FIZ Karlsruhe and Karlsruhe Institute of Technology, KIT; Sergio Carrera is Senior Research Fellow and Head of the Justice and Home Affairs Unit at CEPS; Valsamis Mitsilegas is Professor of European and Global Law and Dean of the School of Law and Social Justice at the University of Liverpool.
