The European Parliament LIBE Committee has urged the European Commission not to issue an adequacy decision for the EU-US Data Privacy Framework (the “Framework”) – which would allow the free flow of personal data between the EU and US. An adequacy decision means that the EU has assessed and recognises that a country provides an equivalent level of protection for personal data as the EU does.
MEPs state that the Framework does not provide sufficient protections and have called for continued negotiations. The Parliament’s concerns include:
- The lack of prohibition on the bulk collection of data;
- The list of legitimate security objectives, which can override an individual’s privacy rights by allowing for signal intelligence, can be expanded without any additions being subject to public scrutiny and at the President’s discretion;
- Unlike other third countries, the US does not have a federal data protection regime offering a consistent level of protection for data across the country;
- Lack of transparency requirements on what personal data is processed which undermines an individual’s right to access or rectification; and
- The US Data Protection Review Court is part of the executive branch, not the judiciary which raises concerns over the impartiality of such proceedings.
The latest development from the European Parliament will come as a blow to many European and American businesses. Many had been hoping that the updates made to the U.S. security regime last year would mean an adequacy decision was forthcoming, allowing for an easing of administrative requirements to satisfy when transferring data between the two jurisdictions.
Companies in the UK should keep a close eye on whether the Framework receives an adequacy decision from the European Commission later this year, especially if they have group companies based in the EU. Whilst UK based companies would not be able to rely on an adequacy decision to transfer data to the US a favourable decision for the US would encourage the same approach being taken in the UK who is separately negotiating a US-UK data transfer agreement. If the Framework is not agreed then the UK will likely be more cautious in depending on the US’s apparent protections when looking at whether to make an adequacy decision of its own.
See the full draft opinion here.