The proposed EU-U.S. Data Privacy Framework is an improvement, but not enough to justify an adequacy decision on personal data transfers, say MEPs in a resolution.
In a resolution adopted Thursday, MEPs argue that the European Commission should not grant the United States an adequacy decision deeming its level of personal data protection essentially equivalent to that of the EU and allowing for transfers of personal data between the EU and U.S. The text was adopted with 306 votes in favour, 27 against, and 231 abstaining.
According to the text, the EU-U.S. Data Privacy Framework is an improvement on previous frameworks, but does not provide for sufficient safeguards. MEPs note that the framework still allows for bulk collection of personal data in certain cases, does not make bulk data collection subject to independent prior authorisation, and does not provide for clear rules on data retention.
MEPs note that the Data Privacy Framework creates a Data Protection Review Court (“DPRC”) aimed at providing redress to EU data subjects, but its decisions would be secret, violating citizens’ right to access and rectify data about them. Moreover, DPRC judges could be dismissed by the U.S. President, who could also overrule its decisions, so the Review Court is not truly independent, say MEPs.
Lawsuit-proof regime needed to create legal certainty
In the resolution, MEPs argue that the framework for data transfers needs to be future-proof, and the assessment of adequacy needs to be based on the practical implementation of rules. The U.S. Intelligence Community is still updating its practises based on the Data Privacy Framework, so an assessment of its impact on the ground is not yet possible, say MEPs.
Noting that previous data transfer frameworks between the EU and the U.S. were invalidated by rulings of the Court of Justice of the European Union (most recently in the “Schrems II” case), MEPs urge the Commission to make sure that the future framework can withstand legal challenges and provide legal certainty to EU citizens and businesses. To achieve this, the Commission should not grant an adequacy decision based on the current regime, and should instead negotiate a data transfer framework that is likely to be held up in court, they argue.
Quote
After the vote, rapporteur Juan Fernando López Aguilar (S&D, ES) said:
“We are discussing a privacy framework with the U.S. for the third time, after previous regimes were struck down by the European Court of Justice. This new proposal contains significant improvements, but unfortunately, we are not there yet. There are still missing elements on judicial independence, transparency, access to justice, and remedies. So, we call on the Commission to continue negotiations and properly address these concerns. The mechanism must genuinely protect the data of EU citizens and businesses.”
Background
The European Commission is in the process of adopting an adequacy decision for data transfers based on the EU-U.S. Data Privacy Framework.
From 15 to 18 May, a delegation of the Committee on Civil Liberties, Justice and Home Affairs will visit Washington, D.C. for an annual round of dialogue with U.S. lawmakers and other stakeholders, discussing privacy and data protection among other topics.
Source – EU Parliament