The European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE committee) does not want the European Commission (EC) to extend an adequacy decision to the United States (US) based on the proposed EU-US Data Privacy Framework (DPF). This was made clear in its draft opinion published on the February 14.
In their opinion, the committee members have concluded that the proposed DPF “fails to create actual equivalence in the level of protection offered under the EU General Data Protection Regulation” and have urged the EC to only adopt a decision when “meaningful reforms were introduced, in particular for national security and intelligence purposes” on the part of the US.
The LIBE committee’s opinion is viewed by others as a noteworthy step towards accountability and warrants serious consideration before an adequacy decision is granted to the US.
Parliament and the European Data Protection Board (EDPB) each have the opportunity to present opinions, which are nonbinding, to the EC to consider towards its adequacy decision.
Maastricht University European Centre on Privacy and Cybersecurity Senior Visiting Fellow Paul Breitbarth has been quoted as saying “with the EDPB’s opinion on the framework weeks away, I think the Parliament’s resolution is very timely, and might also influence the (data protection authorities’) debate on whether or not the framework is indeed essentially equivalent.”
The LIBE committee has highlighted the key discrepancies with the DPF, with specific focus on the subject of equivalent protection and the proposed redress system the US plans to establish for EU citizens. Furthermore, MEPs have said that it is worrisome that there are differing definitions of key data protection concepts, such as the principles of necessity and proportionality, the absence of a comprehensive federal privacy legislation and adherence to a US Executive Order.
Another concern of MEPs is the proposed Data Protection Review Court as it raises concerns with a perceived lack of independence and general transparency. The committee’s view is that the Data Protection Review Court’s process is “based on secrecy and does not set up an obligation to notify the complainant that their personal data has been processed.” Furthermore, neither does it allow for appeals to federal courts nor the opportunity to claim for damages where appropriate.
This draft opinion will be formally presented in the LIBE committee at the beginning of March with the hope of finalization at the end of March. Thereafter, the opinion will go to a full parliament vote in April. The EC has maintained that it hopes to finalize the adequacy decision by July at the earliest.
Until there is more clarity surrounding the EU-US Data Privacy Framework, organizations must ensure they adhere to the available transfer mechanisms and that the supplementary measures are implemented.
Does your organization have any questions about transferring personal data internationally to the US? Contact us, the Experts in Data Privacy at email@example.com for assistance.