MEPs rejected the EU- U.S. Data Privacy Framework

25 May 2023

On the 11th of May 2023, Members of the European Parliament (MEPs), have adopted a resolution, rejecting the proposed EU-U.S. Data Privacy Framework (DPF). MEPs argued that the European Commission should not grant the United States an adequacy decision deeming its level of personal data protection essentially equivalent to that of the EU and allowing for transfers of personal data between the EU and U.S.

MEPs stated that the said Framework is an improvement on previous frameworks i.e. the EU-U.S. Privacy Shield, invalidated by rulings of the Court of Justice of the European Union in the Schrems case, but does not provide for sufficient safeguards. Among other issues, they noted that the DPF still allows for bulk collection of personal data in certain cases, does not make bulk data collection subject to independent prior authorization and does not provide for clear rules on data retention.

In view of the above, MEPs urged the European Commission to ensure that the future regime is “lawsuit-proof” and can provide legal certainty to EU citizens and businesses. MEPs stated that the current regime, is likely to be invalidated by a court ruling.

Background
On the December 13th, 2022, the European Commission published its draft adequacy decision for EU-US data flows within the context of the DPF, which will facilitate safe trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its landmark Schrems II decision and the invalidation of the previous adequacy decision.
An adequacy decision is one of the tools provided by the General Data Protection Regulation (GDPR) to enable personal data transfers from the EU to third countries which, in the assessment of the Commission, offer a comparable level of protection of personal data to that of the European Union.
The draft adequacy decision reflects the assessment of the US legal framework by the European Commission, which concludes that it provides comparable safeguards to those provided by the EU, recognizing the essential equivalence of the US data protection standards for the protection of personal data transferred from the EU to US companies.

Impact
The recent updates showcase the negative stance of the European Parliament against the DPF, and particularly their concerns on important topics such as the rights to redress and access to information, judicial independence, transparency and access to justice.  
We estimate that the chances of having an adequacy decision by July 2023, as was previously indicated, which will allow data to flow freely and safely between the EU and US entities, without having to put in place additional data protection safeguards, are low.
Until a framework is adopted by the EU Commission, we recommend that all entities continue to follow the established procedure in case of data transfers to the US, while preserving the fundamental rights and freedoms of individual, through the execution of Transfer Impact Assessments (TIAs) and the use of an appropriate data transfer tool such as the Standard Contractual Clauses (SCCs).
The Data exporter is responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In this case, the exporters shall implement supplementary measures to fill in the gaps and raise the level of protection afforded to the transferred data, in order to reach the EU standard.
 

MORE RELATED NEWS

Saudi Arabia Data Protection Compliance: National Register for Controllers and Data Protection Officer Requirements
Raphael Legal and Privacy Minders Author the Cyprus Chapter in the ICLG Data Protection Guide 2024
How IAB Europe TCF v2.2 Enhances Digital Advertising Privacy Compliance
ENISA Report on Engineering Personal Data Protection in EU Data Spaces
Larnaca, Cyprus

32 Konstantinou Paleologou Street,
The Square, 2nd Floor,
6036 Larnaca, Cyprus

London, United Kingdom

71-75 Shelton Street
London WC2H 9JQ
United Kingdom

Get in touch

Tel: +357 24 32 33 33
Email: info@privacyminders.com

Click here to Subscribe