EU parliamentarians have rejected a recommendation by the European Commission to adopt a data privacy framework governing the way the US handles the personal information of EU citizens.
The European Parliament Committee on Civil Liberties, Justice and Home Affairs is concerned that the proposed measures do not comply with the EU’s GDPR, are “vague” and do not offer individuals sufficient protection.
Tension between EU and US
There has been tension between the EU and US over the handling of personal data since the EU Court of Justice’s ruling in 2020 that the Privacy Shield data transfer agreement did not protect EU citizens from over-intrusive US surveillance. The ruling affects billions of dollars worth of digital trade.
Last October, US President Joe Biden signed an executive order that limited the ability of his country’s national security agencies to get access to personal information, and established a Data Protection Review Court within the Department of Justice. This body would allow people to file law suits challenging how their data was being used.
But the EU parliamentary committee has taken the view that Biden’s executive order is insufficient because it can be reversed by a president at any time, and because it is worded vaguely enough to allow US courts to interpret it to approve the bulk collection of data for signals intelligence. It also notes the order does not cover material gathered under the Patriot Act and the Cloud Act.
“The EU and the US have differing definitions of key data protection concepts such as principles of necessity and proportionality.”
European Parliament Committee on Civil Liberties, Justice and Home Affairs
The motion laid down by the committee to wind up debate on the issue sets out a number of concerns. These include the observation that “there is no federal privacy and data protection legislation in the United States” and that “the EU and the US have differing definitions of key data protection concepts such as principles of necessity and proportionality”.
While efforts set out in Biden’s executive order (EO) are acknowledged, the committee says “these principles will be interpreted solely in the light of US law and legal traditions” and points out that “the EO requires that signals intelligence must be conducted in a manner proportionate to the ‘validated intelligence priority’, which appears to be a broad interpretation of proportionality”.
The committee also;
- “regrets the fact that the EO does not prohibit the bulk collection of data by signals intelligence”;
- “notes that the list of legitimate national security objectives can be expanded by the US President, who can determine not to make the relevant updates public”;
- “points out that the decisions of the Data Protection Review Court (‘DPRC’) will be classified and not made public or available to the complainant”;
- “points out that a complainant will be represented by a ‘special advocate’ designated by the DPRC, for whom there is no requirement of independence”;
- “notes that, while the US has provided for a new mechanism for remedy for issues related to public authorities’ access to data, the remedies available for commercial matters under the adequacy decision are insufficient”.
The motion concludes by saying “the EU-US Data Privacy Framework fails to create actual equivalence in the level of protection” and therefore “calls on the Commission to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence” and “urges the Commission not to adopt the adequacy finding”.
The resolution is non-binding, but adopting the Trans-Atlantic Data Policy Framework without the approval of a key committee is going to be more difficult.