- EU Court twice found EU–US data transfer regimes non-compliant with European data privacy rules
- Commission should issue clear guidelines in line with court rulings and EU Data Protection Board (EDPB) opinions
- Commission should start infringement procedures against Ireland for failure to enforce GDPR
- Data storage in Europe is necessary to reach data autonomy
After the EU court rejected an earlier framework for data transfers to the US, EU authorities should set clear rules in line with the Court’s findings, MEPs say.
In a resolution adopted with 541 in favour, 1 against and 151 abstaining, the European Parliament urges the Commission to issue guidelines on making data transfers compliant with recent EU Court of Justice rulings. The court considered US data transfers to be inconsistent with the General Data Protection Regulation (GDPR), notably because US authorities may access personal data in bulk.
MEPs stress the Commission should not conclude new adequacy decisions with third countries without taking into account the implications of EU court rulings and ensuring full GDPR compliance. Data storage capabilities must be developed within Europe, MEPs point out, to achieve true autonomy in data management.
MEPs welcome the EDPB’s guidelines (e.g. its recommendations for data transfers and a Joint Opinion with the European Data Protection Supervisor on the issue) for safeguards related to third country data transfers and call on the Commission to fully integrate these in its proposals, alongside relevant EU court judgments. In the end, businesses and individuals should have at their disposal a toolbox of measures to bring protection up to the level required by the GDPR.
The role of data protection authorities
MEPs express disappointment with the Irish Data Protection Commission (DPC) and its decision to initiate the Schrems court case instead of independently triggering enforcement procedures based on GDPR rules, while also criticising the DPC’s long processing times. The Parliament calls on the Commission to launch infringement procedures against Ireland for failing to effectively enforce the GDPR, and asks that national authorities across Europe halt transfers of data that could be accessed in bulk in the US if the Commission reaches an adequacy decision regarding that country.
More generally, the resolution criticises national authorities in the EU for failing to enforce the GDPR properly, as MEPs consider them to have overlooked international data transfers and failed to take meaningful corrective decisions.
Quote
After the vote, rapporteur Juan Fernando López Aguilar (S&D, ES) said: “The Commission must not repeat the same mistakes by negotiating data transfer agreements with the United States. We do not want to witness a “Schrems III” case so it is crucial the Commission gets it right this time.”
Background
In its “Schrems II” ruling of 16 July 2020, the European Court of Justice found that the current framework for EU-US data transfers (“Privacy Shield”) did not sufficiently protect the personal data of EU users, as required by the General Data Protection Regulation (GDPR). The court thus overturned the Commission’s earlier decision to consider US data protection equivalent to that of the EU. The court accepted the use of standard contractual clauses (“SCCs”) to facilitate transfers, as long as EU-based entities verify the recipient country’s level of data protection before the transfer. However, where data fall under the scope of the US Foreign Intelligence Surveillance Act (FISA), there is a risk that they are subject to mass surveillance. The European Commission is currently working with US Secretary of Commerce Gina Raimondo on a new framework for EU–US data transfers.
Further information