On February 14, 2023, in a Draft Motion for a Resolution on the adequacy of the protection afforded by the proposed EU-U.S. Data Privacy Framework (the “Framework”), the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the “Committee”) urged the European Commission not to adopt adequacy based on the Framework, on the basis that it “fails to create actual equivalence” with the EU in the level of data protection that it provides.
A full Parliament vote on the Resolution is expected in the coming months, but even if passed the Resolution will not be binding on the European Commission with respect to its adequacy decision.
The Committee raised various objections to the Framework, including that:
- While Executive Order 14086 on Enhancing Safeguards For United States Signals Intelligence Activities (the “EO”, which provides the Framework) makes reference to principles of proportionality and necessity, the substantive definitions of these concepts in the EO, and likely interpretation under U.S. law, are out of line with their meaning and interpretation in the EU;
- The U.S. President retains the ability to amend the EO, meaning that it is not clear, precise, or foreseeable in its application;
- Decisions made by the Data Protection Review Court (“DPRC”) will not be made public or available to complainants, and more generally that the DPRC is not sufficiently transparent, independent or impartial, in part due to the fact that it is part of the executive branch rather than the judiciary; and
- Unlike other recipients of an adequacy decision from the European Commission, the U.S. does not have a federal data protection law in place.
In its conclusions, the Committee re-stated its prior request to the Commission “not to adopt any new adequacy decision in relation to the U.S., unless meaningful reforms were introduced, in particular for national security and intelligence purposes.”