On 13 April 2023, the EU’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) passed a resolution to stop the debate over the draft adequacy decision stating that the new EU-US Data Privacy Framework (DPF) and the Executive Order on Enhancing Safeguards for US Signals Intelligence Activities issued by the US President do not provide sufficient privacy safeguards. The DPF was originally predicted to pass in early 2023 but putting a resolution to Parliament’s vote suggests looming delays.

From a recent panel discussion with members of the DOJ and the EU Commission, it was communicated that the US and the EU are working very closely together on shaping the DPF and the implementing acts of the Executive Order.

Background

At the end of 2022, the European Commission published its draft adequacy decision on EU-US transfers of personal data. The draft contained an assessment of the US legal framework for state surveillance. The DPF would allow free and safe data transfers between the EU and the US for US companies self-certified under DPF, bringing many commercial benefits to businesses on both sides.

Earlier this year, LIBE Committee and the European Data Protection Board (EDPB) issued opinions on the draft of the DPF. They both believe that there is more to be done and additional measures should be taken to achieve an equivalent level of protection required by the EU data protection law.

LIBE proposes the Parliament vote to stop the debate on the adequacy decision until concerns over DPF are addressed

LIBE Committee prepared a resolution to wind down the debate on the adequacy decision until concerns about the DPF are addressed.

The main concerns are whether the framework in its current form sufficiently protects the personal data of EU citizens. MEPs doubt that, similarly to its predecessors, the DPF will survive CJEU’s (EU Court of Justice) scrutiny.

LIBE Committee members want to avoid the third challenge to the adequacy decision and call the Commission to address the gaps even if it means reopening negotiations with the US. In particular, the LIBE Committee was concerned about the bulk collection and processing of personal data by the US intelligence agencies, which would be allowed in the current form of DPF. This issue was previously voiced by the EDPB. Also, bulk data collection would not be subject to independent authorisation.

In its resolution, the LIBE Committee reiterated that mass surveillance, including the bulk collection of data, by state actors is detrimental to the trust of the EU citizens and each time a transfer mechanism is challenged it adds to the cost of compliance for businesses operating in the digital economy.

The resolution pointed out gaps in relation to the right to access and redress as the US legal system allows classifying the decisions of the Data Protection Review Court, meaning the complainant would be unduly restricted in accessing or rectifying their data.

What’s next?

In the coming weeks, European Parliament will vote on LIBE Committee’s resolution in a plenary session. The concerns have to be taken seriously, but at the same time, they do not pose hurdles that cannot be overcome. Given that the EU and the US authorities started work on making improvements to the DPF, organizations can remain positive. It is estimated that the updated DPF may be approved in summer 2023.