LIBE: Resi­stance to the ade­qua­cy of the TADPF.

On Febru­ary 14, 2023, the Euro­pean Parliament’s Com­mit­tee on Civil Liber­ties, Justi­ce and Home Affairs (LIBE) appro­ved the Draft reso­lu­ti­on in con­nec­tion with the Pri­va­cy Shield 2.0, the “EU‑U.S. Data Pri­va­cy Frame­work” (also refer­red to as the “Trans-Atlan­tic Data Pri­va­cy Frame­work.” TADPF), adopted for the atten­ti­on of the Par­lia­ment. The draft is based on Art. 132(2) of the Rules of Pro­ce­du­re of the Euro­pean Par­lia­ment, accor­ding to which the Par­lia­ment may adopt a reso­lu­ti­on at the end of a deba­te – this is what the LIBE requires.

If the draft is adopted, the Euro­pean Par­lia­ment will Against an ade­qua­cy decis­i­on for the Data Pri­va­cy Frame­work. deci­de. Simi­lar to noyb’s cri­ti­cism of the TADPF, the LIBE cri­ti­ci­zes the fol­lo­wing points in particular:

• key con­cepts such as pro­por­tio­na­li­ty are inter­pre­ted dif­fer­ent­ly under U.S. law than under the GDPR;
• the Exe­cu­ti­ce Order 14086 – basis of the TADPF – does not pre­vent a “bulk coll­ec­tion of data by signals intel­li­gence, inclu­ding the con­tent of com­mu­ni­ca­ti­ons” and does not app­ly to data that U.S. aut­ho­ri­ties obtain by other means, such as through the U.S. CLOUD Act, vol­un­t­a­ry dis­clo­sure, data purcha­se, or other means;
• Data Pro­tec­tion Review Court (DPRC) decis­i­ons are not made public;
• the DPRC is part of the exe­cu­ti­ve branch;
• Affec­ted per­sons befo­re the DPRC are not repre­sen­ted by inde­pen­dent coun­sel, but by a “Spe­cial Advocate.”
• Data sub­jects are not infor­med about the pro­ce­s­sing of their data and have no pos­si­bi­li­ty to cla­im com­pen­sa­ti­on, for example;
• legal pro­tec­tion against com­pa­nies par­ti­ci­pa­ting in the TADPF is insufficient;
• Euro­pean com­pa­nies deser­ve legal cer­tain­ty (i.e.: not to adopt a TADPF that the ECJ then overturns);
• the U.S. still does not have a fede­ral pri­va­cy law;
• the EO is not clear enough and can be chan­ged at any time, by the US President.

The­r­e­fo­re, he said, Par­lia­ment should deci­de as follows:

Con­clu­des that the EU-US Data Pri­va­cy Frame­work fails to crea­te actu­al equi­va­lence in the level of pro­tec­tion; calls on the Com­mis­si­on to con­ti­n­ue nego­tia­ti­ons with its US coun­ter­parts with the aim of crea­ting a mecha­nism that would ensu­re such equi­va­lence and which would pro­vi­de the ade­qua­te level of pro­tec­tion requi­red by Uni­on data pro­tec­tion law and the Char­ter as inter­pre­ted by the CJEU; urges the Com­mis­si­on not to
adopt the ade­qua­cy fin­ding;

Ins­tructs its Pre­si­dent to for­ward this reso­lu­ti­on to the Coun­cil, the Com­mis­si­on and the Pre­si­dent and Con­gress of the United Sta­tes of America.