- Court of Justice twice found EU-US data transfer regimes non-compliant with EU data privacy rules
- Commission and EU Data Protection Board should produce clear guidelines in line with rulings
- Commission should start infringement procedures against Ireland for lack of GDPR enforcement
After the EU court rejected an earlier framework for data transfers with the US, data protection authorities should set clear rules in line with the Court’s findings, MEPs say.
In a draft report adopted on Tuesday by 53 votes in favour to one against and 12 abstentions, the Civil Liberties Committee urges the Commission to issue detailed guidelines on making data transfers compliant with recent EU Court of Justice rulings. MEPs stress the Commission should not conclude new adequacy decisions with third countries without taking into account the implications of EU court rulings. They urge the Commission to assess the impact of the Court’s rulings on current data transfers to the US.
The role of data protection authorities
Civil Liberties Committee members express disappointment with the Irish Data Protection Commission (DPC) and its decision to initiate the Schrems court case instead of independently triggering enforcement procedures in the EU’s General Data Protection Regulation (GDPR), while also criticising the DPC’s long processing times. MEPs call on the Commission to launch infringement procedures against Ireland for failing to enforce effectively the GDPR.
More generally, the report criticises the enforcement of the GDPR by national authorities, who MEPs consider to have overlooked international data transfers and failed to take meaningful corrective decisions. The report adopted today urges the Commission and the European Data Protection Board (EDPB) to collaborate on guidelines for a toolbox of privacy-boosting measures, while considering recent CJEU rulings. In addition, the Commission should integrate the EDPB’s feedback (e.g. its Joint Opinion 2/2021) into its proposals.
After the vote, rapporteur Juan Fernando López Aguilar (S&D, ES) said: “The European Parliament has issued several calls for the Commission to address the problems arising from the functioning of the EU-US Privacy Shield. Therefore, its invalidation by the CJEU does not come as a surprise. The Parliament demands that when the Commission negotiates any new personal data transfer agreements with the US, it ensures compliance with GDPR and every aspect of the CJEU rulings.”
In its “Schrems II” ruling on 16 July 2020, the European Court of Justice found that the current framework for EU-US data transfers (“Privacy Shield”) did not sufficiently protect the personal data of EU users, as required by the General Data Protection Regulation (GDPR). The court thus overturned the Commission’s earlier decision to consider US data protection equivalent to that of the EU.
The court accepted the use of standard contractual clauses (“SCCs”) to facilitate transfers, as long as EU-based entities verify the recipient country’s level of data protection before the transfer. According to the Civil Liberties Committee, businesses may struggle to assess third country regimes due to a lack of resources, meaning that clear EU guidelines on GDPR-compliant data transfers are necessary to provide certainty and stability.
The non-legislative draft resolution will be debated in a future plenary session and put to the vote by the full House.