The European Parliament Committee on Civil Liberties, Justice and Home Affairs has adopted a resolution on Thursday rejecting the proposed EU-U.S. Data Privacy Framework. Members of the European Parliament (MEPs) have commented that while the framework was an improvement, it did not meet the requirements to justify an adequacy decision.
The European Commission initiated the process of adopting an adequacy decision for the EU-U.S. Data Privacy Framework on December 13th. This decision aims to facilitate trans-Atlantic data transfers and it would resolve the concerns of the Court of Justice of the European Union resulting from its Schrems ll decision from July 2020.
This draft adequacy decision entails that the U.S. would ensure that personal data transferred from the EU to the U.S. are adequately protected by the United States. This decision was made after a thorough analysis and assessment of the Data Privacy Framework including the obligations it poses on companies, as well as the restraints and security measures in place for the U.S. public authorities to access EU citizens’ personal data, specifically for the purposes of criminal law enforcement and national security.
MEPs noted that although the framework has some improvements, it still permits the bulk gathering of personal data under specific circumstances. Additionally, it does not require independent authorization before bulk data collection and does not establish explicit guidelines for data retention.
MEPs have pointed out that the Data Privacy Framework introduces a Data Protection Review Court (DPRC) to address compensation and facilitate complaints for EU data subjects. However, their decision would be classified and that would violate data subjects’ right to access and rectification of their personal data. Furthermore, the U.S. President could potentially dismiss the DPRC judges and strike down its decisions. Therefore, MEPs believe that the Review Court lacks independence. This concern was previously also raised in their draft opinion on this matter in February.
MEPs argue in the resolution that the framework has to be future-proof and the adequacy assessment by the Commission must depend on how the U.S. privacy rules are implemented in practice. The U.S. Intelligence Community is still adapting its approach and methods pursuant to the Data Privacy Framework. Therefore, according to the MEPs an evaluation of its effect and consequences is not yet possible.
Since the prior data transfer frameworks between the EU and the U.S. were overthrown by the Court of Justice of the European Union, most recently in its decision for the Schrems ll case, MEPs are urging the Commission to ensure that the future framework is capable of withstanding legal challenges and offer legal certainty to EU citizens and companies. In order to accomplish this goal, MEPs advise the Commission not to grant an adequacy decision based on the current framework. Instead, they should work out a framework that would be likely to be upheld in court.
MEPs have adopted the resolution with 37 votes in favor, no votes against, and 21 abstentions. The resolution will now be postponed for a future plenary session of the European Parliament.
Organizations must ensure that they follow the existing transfer mechanisms, such as SCCs and TIAs, and implement any additional measures until there is more clarity regarding the EU-US Data Privacy Framework.
Does your organization have any questions about transferring personal data internationally to the U.S.? Contact us, the Experts in Data Privacy at firstname.lastname@example.org for assistance.