InfoBytes Blog
EU says EU-US Data Privacy Framework lacks adequate protections
On February 14, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs released a draft motion for a resolution concerning the adequacy of protections afforded under the EU-US Data Privacy Framework. As previously covered by InfoBytes, last October President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) to address the facilitation of transatlantic data flows between the EU and the U.S. The E.O. also outlined bolstered commitments that the U.S. will take under the EU-U.S. Data Privacy Framework (a replacement for the EU-U.S. Privacy Shield). In 2020, the Court of Justice of the EU (CJEU) annulled the EU-U.S. Privacy Shield after determining that, because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the EU’s General Data Protection Regulation (GDPR).
In the draft resolution, the Committee urged the European Commission not to adopt any new adequacy decisions needed for the EU-U.S. Data Privacy Framework to officially take effect. According to the Committee, the framework “fails to create actual equivalence in the level of protection” provided to EU residents’ transferred data. Among other things, the Committee found that the government surveillance backstops outlined in the E.O. “are not in line” with “long-standing key elements of the EU data protection regime as related to principles of proportionality and necessity.” The Committee also expressed concerns that “these principles will be interpreted solely in light of [U.S.] law and legal traditions” and appear to take a “broad interpretation” to proportionality. The Committee also flagged concerns that the framework does not establish an obligation to notify EU residents that their personal data has been processed, “thereby undermining their right to access or rectify their data.” Additionally, “the proposed redress process does not provide for an avenue for appeal in a federal court,” thereby removing the possibility for EU residents to claim damages. Moreover, “remedies available for commercial matters” are “largely left to the discretion of companies, which can select alternative remedy avenues such as dispute resolution mechanisms or the use of companies’ privacy [programs],” the Committee said.
The Committee called on the Commission “to continue negotiations with its [U.S.] counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the CJEU,” and urged the Commission “not to adopt the adequacy finding.”