On February 14, 2023, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“European Parliament Committee”) released its Draft Motion for a Resolution on the adequacy of the protection afforded by the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), in which it concluded that the EU-U.S. DPF fails to create actual equivalence in the level of data protection.
This announcement builds on a multi-year evolution of cross-border data transfers between the EU and the U.S. Check out our previous overview of the European Commission’s (“EU Commission”) draft adequacy decision and deep dive into President Biden’s October 2022 Executive Order on Enhancing Safeguards for U.S. Signals Intelligence Activities.
In this blog, we delve into the European Parliament Committee’s primary reasons for rejecting the EU-U.S. Data Privacy Framework as it currently stands, and the key takeaways as we continue to wait for a final decision.
The European Parliament Committee’s Conclusions
The European Parliament Committee:
- concludes that the EU-U.S. Data Privacy Framework fails to create actual equivalence in the level of protection;
- calls on the EU Commission to continue negotiations with its U.S. counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by EU data protection law and the Charter as interpreted by the Court of Justice of the European Union (“CJEU”); and
- urges the EU Commission not to adopt the adequacy finding.
The European Parliament Committee arrived at the above conclusions based on the absence of a federal privacy and data protection legislation in the U.S. and the differing definitions of “necessity” and “proportionality” under EU and U.S. law.
The Draft Motion highlighted the fact that, unlike all other third countries that have received an adequacy decision under the EU’s General Data Protection Regulation (“EU GDPR”), the U.S. still does not have a federal data protection law. In the absence of a federal data protection law, the primary concern is that the U.S. President can amend the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (“Executive Order”) at any time, raising the same concerns of access to personal data raised in the Schrems II decision that invalidated the EU-US Privacy Shield.
Furthermore, the European Parliament Committee notes that the substantive definitions of the principles of necessity and proportionality under the Executive Order are not in line with their definitions under EU law and their interpretation by the CJEU. The European Parliament Committee finds that the Executive Order does not prohibit the bulk collection of data by U.S. signals intelligence and that the language of “validated intelligence priority” allows for an overly broad interpretation. Additionally, the European Parliament Committee points out that the Executive Order does not apply to data accessed by public authorities under the U.S. Cloud Act or the U.S. Patriot Act and that the proposed Data Protection Review Court (“DPRC”) does not meet the standards of independence and impartiality of Article 47 of the Charter.
What’s Next?
On Wednesday, March 1st, the members of the European Parliament will debate the Draft Motion for a Resolution on the EU Commission’s draft adequacy finding covering the EU-U.S. DPF, as well as the relevant opinion of the European Data Protection Board (“EDPB”).
Key Takeaways
The European Parliament Committee acknowledges that businesses need and deserve legal certainty with respect to EU-U.S. data transfers and that the repeal of previous transfer mechanisms by the CJEU has created additional costs for businesses. The European Parliament Committee also acknowledges that this continuing uncertainty is particularly burdensome for micro-, small-, and medium-sized enterprises.
It seems like businesses will continue to wade in this uncertainty for the time being. However, businesses should take note that an adequacy decision is not the only tool for international transfers. The Standard Contractual Clauses remain a current and viable option.
Octillo will continue to monitor and provide further guidance as new developments arise. If you have any questions regarding this development, please contact a member of our data privacy attorney team.
*Attorney advertising. Prior results do not guarantee a similar outcome.