Other Author Salome Peters, Legal Intern
The European Parliament adopted a Resolution on 11 May 2023 against the adoption of an EU adequacy decision for the US based on the EU-US Data Privacy Framework (DPF). The Resolution comes after an analysis by the European Parliament of the Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities (EO 14086), which was adopted in the US in order to implement the DPF (for more details, see our previous Legal Update).
The European Parliament took the view that the EU-US DPF fails to create essential equivalence in the level of protection as compared to the European framework. In the European Parliament’s view, EO 14086 does not provide sufficient safeguards for the transfer of personal data from the EU to the US, considering the below aspects:
- Signals intelligence practices in the US are still considered too broad, as they allow the collection of personal data in bulk, including the content of communications. EO 14086 contains safeguards with regard to bulk collection of data, but such collection is not subject to an independent prior authorization, which is required in order to limit US intelligence activities, as pointed out by the European Data Protection Board in its opinion about the DPF. The European Parliament expressed concern that US authorities would by this means get access to data they would otherwise have been prohibited from accessing;
- European citizens are not able to seek effective legal remedy in the European Parliament’s view. Although a redress mechanism has been created for European citizens under the EO 14086, the decision of the competent authority is not intended to be made public, so that the data subject filing the complaint would not have the possibility to appeal the decision or claim damages.
In addition, the following aspects were mentioned by the European Parliament, leading to the resolution against the draft US adequacy decision:
- The US still lacks a federal data protection law and EO 14086 can be amended or revoked at any time by the US President;
- The European Commission is required to assess the adequacy of a third country based not only on the legislative and regulatory framework, but also on its practical implementation; and
- The DPF principles issued by the US Department of Commerce were not considered to have not been sufficiently amended in comparison to those under the EU-US Privacy Shield, in order to provide an essentially equivalent level of data protection to that provided under the GDPR.
The European Parliament called on the Commission to continue negotiations with its US counterparts in order to create mechanisms that would ensure the required level of equivalence.
It remains to be seen whether the European Commission will be willing or able to renegotiate parts of the deal to sufficiently address the criticisms made by the European Parliament. While the European Parliament’s resolution is expected to delay the process, it is still possible that there will be a new draft EU adequacy decision for the DPF this year, although without any additional changes to address the European Parliament’s concerns, the validity of that decision is likely to come under greater scrutiny in the future.