The European Parliament’s Civil Liberties Committee is expected to adopt a non-binding resolution calling on the European Commission to renegotiate the Data Privacy Framework for transatlantic data flows until fundamental rights concerns are fully addressed. The resolution is expected to receive broad support, and some last-minute amendments are possible before the plenary vote in May.
Delegation of MEPs to visit the United States
Following the plenary vote, a delegation of MEPs from the Civil Liberties Committee is scheduled to visit the United States to meet parts of the federal administration, government agencies, and bodies set up to enforce the new privacy framework.
New data adequacy decision
The Commission is adopting a data adequacy decision to provide a legal basis for transferring data of EU residents to the United States. A new legal framework was necessary after previous ones were ruled illegal by the EU Court of Justice in the Schrems cases.
EDPB non-binding opinion
The European Data Protection Board (EDPB) has already reviewed the EU-US Data Privacy Framework with a non-binding opinion. The Board welcomes the progress made by the US, but also puts forth significant caveats.
MEPs call on the Commission not to adopt the adequacy decision
MEPs are calling on the Commission not to adopt the adequacy decision until the EDPB’s and the resolution’s recommendations are fully implemented. The motion also notes that the US intelligence community has until October to update its policies, meaning that the Commission will not have the time to assess how the new policies work out in practice.
Political or commercial interests should not dictate adequacy decisions
MEPs are calling on the Commission to take responsibility if the adequacy decision is again overturned in Court, stressing that political or commercial interests should not dictate adequacy decisions.
Concerns related to the future-proofness of the Data Privacy Framework
Other points of concern related to the future-proofness of the Data Privacy Framework, its underlying principles and its redress mechanism. The resolution is non-binding, but the European Parliament could challenge the decision if it considers the Commission overstepped its powers.
Review adequacy decision every three years
MEPs want the Commission to review the adequacy decision every three years, as requested by the EDPB, and include a sunset clause by which the adequacy decision expires automatically.
Proportionality and necessity
The EU Court considered that US intelligence agencies have disproportionate access to personal data from the EU. Thus, the Executive Order requires these intelligence activities to be carried out against pre-defined security objectives and bound by the principles of proportionality and necessity. However, MEPs regret that the US President might amend the list of pre-set objectives with no obligation to inform anyone and that no proportionality assessment is needed for each surveillance decision.
Interpretation of principles solely in the light of US law
Furthermore, the resolution points out that “for the purposes of the EU-US Data Privacy Framework, these principles would be interpreted solely in the light of US law and legal traditions and not those of the EU.”
To address the issue of the absence of redress mechanism for EU citizens in US courts, the Executive Order has established a two-layer mechanism with a Civil Liberties Protection Officer and an ad hoc Data Protection Review Court. However, the resolution considers this to be insufficient, as the decisions of this court would be classified, providing no visibility on how key legal concepts are being interpreted, nor on the outcome of cases.
Moreover, the Executive Order falls short in providing an avenue to appeal the decision before a federal court or for the complainant to seek damages. The court’s independence is also problematic, as the US President can overrule its decisions in secret and remove the judges during their term.
While the Executive Order states that targeted data collection should be prioritized, MEPs are concerned that the US Foreign Intelligence Surveillance Act provision that allows security services to target non-American citizens remains unchanged. Furthermore, the resolution notes that bulk data collection is still permitted under certain circumstances, without the prior authorization of an independent authority or strict data retention rules.
In conclusion, the resolution to be adopted by the European Parliament’s Civil Liberties Committee on Thursday will urge the European Commission not to endorse the Data Privacy Framework for transatlantic data flows until fundamental rights concerns are fully addressed. The resolution is expected to receive broad support, and MEPs are going one step further, asking the Commission not to adopt the adequacy decision until the recommendations of the European Data Protection Board and the resolution are fully implemented.
The MEPs are concerned about the future-proofness of the Data Privacy Framework, the underlying principles, and the redress mechanism, and they stress that political or commercial interests should not dictate adequacy decisions. While the resolution is non-binding, the European Parliament could challenge the decision if it considers the Commission overstepped its powers.
In the end, the adoption of this resolution could delay the adoption of the Data Privacy Framework, which is crucial for transatlantic data flows, as it would ensure that the personal data of EU residents is adequately protected when transferred to the United States.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com
Author: Shernaz Jaehnel, Attorney at Law, CDPO/CIPP/CIPM, Compliance, ESG & Risk Manager