Belgium, (Brussels Morning Newspaper) MEPs have moved to ban personal data transfers to the US under existing rules in a resolution adopted today, which they accuse of violating citizens’ rights.
MEPs from the Civil Liberties Committee argued that the European Commission should not grant the US an adequacy decision, deeming its level of personal data protection essentially equivalent to that of the EU and allowing for transfers of personal data between the EU and US.
“We are not there yet. We are not convinced that this new framework sufficiently protects personal data of our citizens, and therefore we doubt it will survive the test of the CJEU. The Commission must continue working to address the concerns raised by the European Data Protection Board and the Civil Liberties Committee even if that means reopening the negotiations with the US,” said MEP Juan Fernando López Aguilar, following the vote.
The text was adopted with 37 votes in favour, 0 against, while 21 MEPs abstained. Another vote is set to take place in a future plenary session.
Insufficient safeguards
According to the adopted text, the EU-US Data Privacy Framework is an improvement on previous frameworks but does not provide sufficient safeguards.
Policymakers state that the framework still allows for bulk collection of personal data in certain cases, does not make bulk data collection subject to independent prior authorisation, and fails to provide clear rules on data retention.
US dominance
MEPs also noted that the current US Data Privacy Framework employs a Data Protection Review Court (“DPRC”), which is meant to provide redress to EU data subjects, but that its decisions would be secret, violating citizens’ right to access and rectify data about them.
Moreover, the “data court” judges could be dismissed by the US President, who could also overrule its decisions, meaning that the Review Court is not truly independent, according to MEPs.
Politicians further argue that the framework for data transfers needs to be future-proof, and the assessment of adequacy needs to be based on the practical implementation of rules.
Since the US Intelligence Community is still updating its practices based on the Data Privacy Framework, it’s not yet possible to assess its impact on the ground, MEPs noted.
EU-US Data Privacy Framework
On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework, which is meant to foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in July 2020. This declared parts of the predecessor framework invalid, on account of extensive US intelligence powers and insufficient redress mechanisms. The EU executive’s proposal follows the signature of an executive order by US President Biden on 7 October 2022.
In essence, the US Executive Order (14086) and its accompanying regulation are the first building block of the new framework on EU–US data transfer, the “EU–US Data Privacy Framework”.
After the US adoption of the executive order, the Commission proposed an adequacy decision determining that the revised US data protection standard was essentially equivalent to that of the EU, which has been contested by MEPs today.
Digital rights
Digital rights advocacy organisations such as NOYB, the Electronic Privacy Information Center (EPIC), the Center for Democracy and Technology (CDT) and AccessNow took a critical stance, emphasising deficits in aligning US with EU standards.
NOYB expressed criticism saying that the executive order only follows the letter, not the spirit of EU restrictions on bulk surveillance, and that the redress mechanism fails to meet EU standards of judicial protection, not least because the DPRC is part of the executive branch as opposed to the judicial branch.
Discussion about this post