- EU citizens need legal certainty and a future-proof regime
- Rights to redress and access to information must be respected
- Current proposal likely to be invalidated by a court ruling, say MEPs
The proposed EU-U.S. Data Privacy Framework is an improvement, but not enough to justify an adequacy decision on personal data transfers, say MEPs in a resolution.
In a resolution adopted by Civil Liberties Committee MEPs on Thursday, MEPs argue that the European Commission should not grant the United States an adequacy decision deeming its level of personal data protection essentially equivalent to that of the EU and allowing for transfers of personal data between the EU and U.S.
According to the text, the EU-U.S. Data Privacy Framework is an improvement on previous frameworks, but does not provide for sufficient safeguards. MEPs note that the framework still allows for bulk collection of personal data in certain cases, does not make bulk data collection subject to independent prior authorisation, and does not provide for clear rules on data retention.
MEPs note that the Data Privacy Framework creates a Data Protection Review Court (“DPRC”) aimed at providing redress to EU data subjects, but its decisions would be secret, violating citizens’ right to access and rectify data about them. Moreover, DPRC judges could be dismissed by the U.S. President, who could also overrule its decisions, so the Review Court is not truly independent, say MEPs.
Lawsuit-proof regime needed for legal certainty
In the resolution, MEPs argue that the framework for data transfers needs to be future-proof, and the assessment of adequacy needs to be based on the practical implementation of rules. The U.S. Intelligence Community is still updating its practises based on the Data Privacy Framework, so an assessment of its impact on the ground is not yet possible, say MEPs.
Noting that previous data transfer frameworks between the EU and the U.S. were invalidated by rulings of the Court of Justice of the European Union (most recently in the “Schrems II” case), MEPs urge the Commission to make sure that the future framework can withstand legal challenges and provide legal certainty to EU citizens and businesses. To achieve this, the Commission should not grant an adequacy decision based on the current regime, and should instead negotiate a data transfer framework that is likely to be held up in court, they argue.
After the vote, rapporteur Juan Fernando López Aguilar (S&D, ES) said: “The new framework is certainly an improvement compared to previous mechanisms. However, we are not there yet. We are not convinced that this new framework sufficiently protects personal data of our citizens, and therefore we doubt it will survive the test of the CJEU. The Commission must continue working to address the concerns raised by the European Data Protection Board and the Civil Liberties Committee even if that means reopening the negotiations with the US.”
The European Commission is in the process of adopting an adequacy decision for data transfers based on the EU-U.S. Data Privacy Framework.
The resolution was adopted with 37 votes in favour, 0 against, and 21 abstaining. It will now be tabled for a future plenary session of the European Parliament.