On 11 May 2023, the European Parliament issued a resolution regarding the adequacy of the protection afforded by the EU-US Data Privacy Framework. In summary, the European Parliament has concluded that the EU-US Data Privacy Framework fails to create an essentially equivalent level of protection.
The resolution contains numerous points but the most relevant points include:
–In its resolution of 20 May 2021, the European Parliament called on the European Commission (“Commission”) not to adopt a new adequacy decision in relation to the US unless meaningful reforms were introduced. The Executive Order 14086 (“EO 14086) is not considered as sufficiently meaningful and that the Commission should not leave the task of protecting the fundamental rights of EU citizens to the Court of Justice of the European Union (“CJEU”);
–The Data Privacy Framework principles have not been sufficiently amended, when compared to those under the Privacy Shield, to provide essentially equivalent protection to that provided under the GDPR;
–The Commission was not in a position to assess the effectiveness of the proposed remedies and rules on data processing by public authorities in the US as the US Intelligence Community has until October 2023 to update its policies and practices to align with the commitment of EO 14086. Furthermore, the US Advocate General must still name the EU and its Member States as qualifying countries to be eligible to access the remedy avenue available under the Data Protection Review Court (“DPRC”).Most importantly, the Commission can only proceed with the next step of an adequacy decision after these deadlines have been met by the US to ensure that the commitments have been delivered in practice;
–The Commission and its US counterparts have been called upon to continue negotiations with the aim of creating a mechanism that would ensure such equivalence and which would provide an adequate level of protection as required by Union data protection law and the Charter;
–Calls on the Commission to act in the interest of EU businesses and citizens by ensuring that the proposed framework provides a solid, sufficient and future-oriented legal basis for EU-US data transfers; and
–Expects any adequacy decision, if adopted, to be challenged before the CJEU and highlights the Commission’s responsibility for the failure to protect EU citizens rights in the scenario where the adequacy decision is once again invalidated by the CJEU.
This week, MEPs of the Civil Liberties Committee will travel to the US to meet with members of the House of Representatives and Senator to discuss a wide range of current policy issues including security and child protection, data transfers and privacy, amongst others.
Until there is more clarity surrounding the EU-US Data Privacy Framework, organizations must ensure they adhere to the available transfer mechanisms and that the supplementary measures are implemented.
Does your organization have any questions about transferring personal data internationally to the US? Contact us, the Experts in Data Privacy at firstname.lastname@example.org for assistance.