Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework

2023/2501(RSP)

The European Parliament adopted by 306 votes to 27, with 231 abstentions, a resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework.

On 13 December 2022, the Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework. This resolution on the adequacy of the protection afforded by the EU-U.S. Data Privacy Framework calls on the European Commission to continue negotiations with its U.S. counterparts with the aim of creating a mechanism that would ensure equivalence and provide the adequate level of protection required by EU data protection law. 

There is no federal privacy and data protection legislation in the United States. However, the Executive Order 14086 on Enhancing Safeguards For United States Signals Intelligence Activities (EO 14086) introduces definitions of key data protection concepts such as principles of necessity and proportionality, constituting a significant step forward in comparison with previous transfer mechanisms. Unlike all other third countries that have received an adequacy decision under the General Data Protection Regulation (GDPR), the United States still lacks a federal data protection law. The application of EO 14086 is not clear, precise or foreseeable in its application, as it can be amended or revoked at any time by the US President, who is also empowered to issue secret executive orders.

Parliament recalled that private and family life and the protection of personal data are legally enforceable fundamental rights enshrined in the Treaties, the Charter and the European Convention on Human Rights, as well as in laws and case-law. It emphasised that adequacy decisions under the GDPR are legal decisions, not political choices and that the rights to privacy and data protection cannot be balanced against commercial or political interests but only against other fundamental rights.

The efforts made in the EO 14086 are taken into account to lay down limits on US signals intelligence activities by making the principles of proportionality and necessity apply to the US legal framework on signals intelligence, and providing a list of legitimate objectives for such activities. These principles would be binding on the entire US intelligence community and could be invoked by data subjects within the procedure envisaged in EO 14086.

Parliament shared the EDPB’s concerns over EO 14086’s failure to provide sufficient safeguards in the case of bulk data collection. In the absence of additional restrictions on the transmission of data to the US authorities, law enforcement authorities would be able to access data that they would not otherwise have been allowed to see.

A new redress mechanism has been created to allow EU data subjects to lodge a complaint. Parliament pointed out that the decisions of the Data Protection Review Court (DPRC) would be filed and not made public or available to the complainant, which would undermine their right to access or rectify their data. As a result, a person lodging an appeal would have no chance of being informed of the substantive outcome of the appeal and the decision would be final. The proposed redress procedure does not provide for an appeal to a federal court and therefore does not provide, among other things, for the possibility for the complainant to claim damages. The Commission is invited to continue negotiations with the United States to achieve the changes necessary to address these concerns.

In addition, the United States has provided for a new remedy mechanism for issues related to public authorities’ access to data, but that questions remain about the effectiveness of the remedies available for commercial matters, which are unchanged under the adequacy decision. The mechanisms aimed at resolving these issues are largely left to the discretion of companies, which can select alternative remedy avenues such as dispute resolution mechanisms or the use of companies’ privacy programmes. Parliament called on the Commission, if an adequacy decision is adopted, to closely analyse the effectiveness of these redress mechanisms.

Conclusions

It is recalled that, in its resolution of 20 May 2021, Parliament called on the Commission not to adopt a new adequacy decision in relation to the United States unless meaningful reforms were introduced, in particular for national security and intelligence purposes. Parliament does not consider the EO 14086 to be sufficiently meaningful and it reiterated that the Commission should not leave the task of protecting the fundamental rights of EU citizens to the Court of Justice of the European Union following complaints from such individual citizens.

Parliament concluded that the Framework fails to create essential equivalence and called on the Commission to continue its negotiations with the U.S. on the Framework and to not adopt an adequacy finding until all the recommendations made in the resolution and the European Data Protection Board opinion are fully implemented.

It further called on the Commission to act in the interest of EU businesses and citizens by ensuring that the proposed framework provides a solid, sufficient and future-oriented legal basis for EU-U.S. data transfers.

Lasty, it noted that if an adequacy decision is adopted and invalidated again by the CJEU, this would a failure to protect EU citizens’ rights and would be the responsibility of the Commission.