On May 11, 2023, at a plenary session, the European Parliament voted to adopt a resolution on the adequacy of the protection afforded by the EU-U.S. Data Privacy Framework (the “Framework”) which calls on the European Commission (the “Commission”) to continue negotiations with its U.S. counterparts with the aim of creating a mechanism that would ensure equivalence and provide the adequate level of protection required by EU data protection law. The text was adopted with 306 votes in favor, 27 against and 231 abstaining. This resolution follows the draft motion (summary available here) which was published in February 2023 and urged the Commission not to adopt adequacy based on the Framework.
Key takeaways from the resolution are:
- Parliament is “concerned” that if the Framework is adopted, it could be invalidated by the Court of Justice of the European Union (the “CJEU”), like its predecessors, which could lead to a “continuing lack of legal certainty, further costs and disruption for European citizens and businesses.”
- Parliament takes note of the “efforts” made in the EO 14086 and “stresses” that the EO “provides for significant improvements aimed at ensuring that these principles are essentially equivalent under EU law.” However, it goes on to opine that the principles contained in the EO as to proportionality and necessity are “not in line” with the definitions of such under EU law, nor the interpretations of such by the CJEU.
- Parliament “shares the EDPB’s concerns over EO 14086’s failure to provide sufficient safeguards in the case of bulk data collection.” It points particularly to the “specific concern” that without further restrictions on dissemination to U.S. authorities, law enforcement authorities would be able to access data they would otherwise have been prohibited from accessing. It also shares other concerns expressed by the EDPB including regarding the rights of data subjects, the lack of clarity about the application of the principles to processors and the need to avoid onward transfers undermining the level of protection.
- Parliament requests that EU citizens have the same rights and privileges as U.S. citizens with regards to surveillance and effective judicial redress.
- In discussing the proposed new redress mechanism, the Data Protection Review Court (the “DPRC”), Parliament notes several concerns which it calls on the Commission to address in negotiations with the U.S., for example that decisions of the DPRC would be classified and not public or available to the complainant, and that certain elements of the DPRC lack independence.
- Parliament concludes that the Framework “fails to create essential equivalence” and calls on the Commission to continue its negotiations with the U.S. on the Framework and to not adopt an adequacy finding until all the recommendations made in the resolution and the EDPB opinion are fully implemented. It further calls on the Commission to “act in the interest of EU businesses and citizens by ensuring that the proposed framework provides a solid, sufficient and future-oriented legal basis for EU-U.S. data transfers”. It notes, finally, that if an adequacy decision is adopted and invalidated again by the CJEU, this would a failure to protect EU citizens’ rights and would be the responsibility of the Commission.
This resolution is not binding on the Commission but it will be taken into account by the Commission when considering the Framework, along with the opinion of the EDPB, as referenced by Parliament.