June 23. 2024. 2:21

The Daily

Read the World Today

MEPs to call for renegotiation of EU-US data transfer framework


EU lawmakers are set to adopt a non-binding resolution urging the European Commission not to endorse the Data Privacy Framework for transatlantic data flows until fundamental rights concerns are fully addressed.

The draft motion, seen by EURACTIV, is expected to receive broad support in the European Parliament’s Civil Liberties Committee on Thursday (13 April).

Although the committee is generally more progressive than the rest of the house, the resolution is set to be confirmed during the plenary vote, and some last-minute amendments from more conservative or liberal lawmakers are not ruled out.

The plenary vote is planned for the week starting 8 May. In the following week, a delegation of MEPs from the same committee is scheduled to visit the United States to meet parts of the federal administration, government agencies, and the bodies set up to enforce the new privacy framework.

The Commission is in the process of adopting a data adequacy decision to provide a legal basis for transferring data of EU residents to the United States. A new legal framework was necessary as the previous ones were ruled illegal by the EU Court of Justice in the landmark Schrems cases.

After months of negotiations, the Commission and US administration found a new arrangement limiting US intelligence agencies’ data access and setting up a redress mechanism with an Executive Order.

President Biden signs executive order for a new EU-US data transfer framework

President of the United States, Joe Biden, has signed an executive order for a new EU-US data transfer framework which will introduce safeguards for US intelligence services’ access to European personal data, overcoming the stumbling block that saw the mechanism fail in 2020.

The European Data Protection Board (EDPB), which gathers all EU data protection authorities, has already reviewed the EU-US Data Privacy Framework with a non-binding opinion. While welcoming the progress from the US side, the Board put forth some significant caveats.

MEPs are going one step further, asking the Commission not to adopt the adequacy decision until the board’s and the resolution’s recommendations are fully implemented.

The motion also notes that, according to the Executive Order, the US intelligence community has until October to update its policies, meaning that the Commission will not have the time to assess how the new policies work out in practice.

Moreover, the EU lawmakers are set to call on the Commission to take responsibility if the adequacy decision is again overturned in Court, stressing that political or commercial interests should not dictate adequacy decisions.

Other points of concern related to the future-proofness of the Data Privacy Framework, its underlying principles and its redress mechanism. Whilst the resolution is non-binding, the European Parliament could challenge the decision if it considers the Commission overstepped its powers.

EU-US data transfer framework: European privacy authorities put forth caveats

The European Data Protection Board (EDPB) welcomed with reservations the new Data Privacy Framework, meant to provide the legal framework for transatlantic data flows.

Future proofness

What is particularly concerning for MEPs is that Executive Orders can be amended or revoked at any time by the US president, who is also empowered to issue secret ones.

For the lawmakers, the Commission should review the adequacy decision every three years, as requested by the EDPB and include a sunset clause by which the adequacy decision expires automatically.

Proportionality and necessity

In the Schrems II ruling, the EU Court considered that US intelligence agencies have disproportionate access to personal data from the EU.

Thus, the Executive Order requires these intelligence activities to be carried out against pre-defined security objectives and bound by the principles of proportionality and necessity.

However, the MEPs regret that the US President might amend the list of pre-set objectives with a stroke of a pen with no obligation to inform anyone and that no proportionality assessment is needed for each surveillance decision.

In addition, the resolution points out that “for the purposes of the EU-US Data Privacy Framework, these principles would be interpreted solely in the light of US law and legal traditions and not those of the EU.”

European Commission publishes draft adequacy decision on EU-US data flows

The European Commission initiated the formal process for adopting an adequacy decision on the EU-US Data Privacy Framework on Tuesday (13 December). But the third attempt to underpin transatlantic data transfers is bound to face more legal challenges.

The draft decision …

Redress mechanism

The absence of the possibility for an EU citizen to seek redress in a US court was another critical point behind the Schrems II verdict. To address this, the Executive Order established a two-layer mechanism with a Civil Liberties Protection Officer and an ad hoc Data Protection Review Court.

Nevertheless, the EU lawmakers find it problematic that the decisions of this court would be classified, as it would provide no visibility on the way key legal concepts are being interpreted nor on the outcome of cases.

Furthermore, the resolution considers the Executive Order falls short in providing an avenue to appeal the decision before a federal court nor for the complainant to seek damages.

The court’s independence is also problematic, as the US President can overrule its decisions in secret and remove the judges during their term.

Surveillance regime

At the same time, MEPs stress that the US Foreign Intelligence Surveillance Act provision that allows security services to target non-American citizens remains unchanged.

While the Executive Order states that targeted data collection should be prioritised, EU lawmakers are concerned that it still allows bulk data collection under certain circumstances and without the prior authorisation of an independent authority nor strict data retention rules.