Negative opinion of the European Parliament on the draft adequacy for the EU-US data transfer
We would like to inform you that by resolution of May 11, 2023, the EU Parliament expressed its opposition to the draft adequacy decision for the transfer of data from EU to the US, issued by EU Commission.
THE ADEQUACY DECISION
The adequacy decision is one of the tools under Article 45 GDPR, through which permits the transfer of personal data from the EU to a third country. The EU Commission issues an adequacy decision if it deems that the third country provides an adequate level of protection: in this case, personal data can be transferred.
In the absence of an adequacy decision, transfers of personal data from the EU to the US may take place under Article 46 GDPR, by signing Standard Contractual Clauses.
THE TIMELINE
- on July 16, 2020, the Court of Justice of the EU with the “Schrems II” decision invalidated the EU adequacy decision, allowing transatlantic exchanges of personal data for commercial purposes between the European Union and the United States of America (“Privacy Shield“);
- on October 7, 2022, U.S. President Joe Biden signed an executive order implementing the principles set by the European Commission and the United States in the Trans-Atlantic Data Privacy Framework, aimed at ensuring the legitimacy of transborder personal data flows, thus overcoming the critical issues raised by the EU Court of Justice;
- on December 13, 2022, the EU Commission issued a draft adequacy decision based on the new Data Privacy Framework.
THE “NO” OF THE EUROPEAN PARLIAMENT
According to the European Parliament, the U.S. do not guarantee a level of protection for personal data equivalent to that provided by EU law.
We point out, below, some of the reasons why the EU Parliament gave a negative opinion to the draft adequacy decision based on the Data Privacy Framework:
- there is not a federal data protection legislation in the US yet;
- the definitions in the Executive Order are not in line with those in EU law, and with the interpretations of the EU Court of Justice;
- there is no prohibition of mass surveillance and bulk data collection by state agents when EU citizens are involved;
- the list of legitimate national security objectives, for which signals intelligence collection is prohibited, can be changed by the U.S. President with no obligation to make the relevant updates public nor to inform the EU;
- EU citizens have no effective legal remedies with regard to U.S. intelligence activity;
- the Tribunal’s decisions are not made public or available to the complainant, who would only be informed that the review did not identify any covered violations;
- there are no specific rules regarding automated decision-making and profiling, nor clarity regarding the role of data processors.
THE CONCLUSIONS OF THE EU PARLIAMENT
Although the European Parliament recognizes significant improvements aimed at ensuring the application of the principles of proportionality and necessity by the U.S., it concludes by asserting he EU-US Data Privacy Framework fails to create essential equivalence in the level of protection.
Therefore, Parliament invites the Commission to continue negotiations with its U.S. counterparts and not to adopt the adequacy decision “until all the recommendations made in the resolution and opinion of the EDPB opinion are fully implemented”.
***
We would like to remind you that our professionals offer assistance in data protection and we remain available for any clarifications.