May 22, 2023
The EU Parliament has raised concerns over granting an adequacy decision in relation to the EU-US Data Privacy Framework and called on the EU Commission not to proceed until its concerns have been resolved.
In its Resolution of 20 May 2021, the EU Parliament called on the Commission not to adopt a new adequacy decision in relation to the US unless meaningful reforms were introduced, in particular for national security and intelligence purposes.
MEPs have now said in a new Resolution that they do not consider the US’s Executive Order 14086, which introduced the key data protection concepts of necessity and proportionality in relation to US government access to personal data transferred to the US, to be sufficiently meaningful. In MEPs’ view, the Commission should not leave the task of protecting EU citizens’ fundamental rights to the CJEU following receipt of complaints.
The Resolution states that the Commission should assess the adequacy of a third country based on legislation and practices in place not only in substance but also in practice, as established under Schrems I, Schrems II and the GDPR (Recital 104).
The Resolution states, the Data Privacy Framework principles issued by the US Department of Commerce have not been sufficiently amended, in comparison to those under the Privacy Shield, to provide essentially equivalent protection to that provided under the GDPR.
The Resolution notes that while the US is making an important commitment to improve access to remedies and rules on data processing by public authorities, the US Intelligence Community has until October 2023 to update its policies and practices in line with Executive Order 14086 and that the US Advocate General has yet to name the EU and its Member States as qualifying countries to be eligible to access remedies in the Data Protection Review Court. This means, the Resolution states, that the Commission is not in a position to assess the effectiveness of the proposed remedies and measures on access to data “in practice”. Accordingly, the Commission can only proceed with the next step of an adequacy decision once these deadlines and milestones have been met by the US.
The Resolution concludes that the EU-US Data Privacy Framework fails to create essential equivalence in the level of protection and calls on the Commission to continue negotiations with its US counterparts to create a mechanism that would ensure such equivalence and provide the adequate level of protection required by EU data protection law and the Charter as interpreted by the CJEU. The Resolution calls on the Commission not to adopt an adequacy decision until all recommendations in the Resolution and the EDPB’s Opinion are fully implemented. To read the Resolution in full, click here.