On February 14, 2023, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) approved the Draft resolution in connection with the Privacy Shield 2.0, the “EU‑U.S. Data Privacy Framework” (also referred to as the “Trans-Atlantic Data Privacy Framework.” TADPF), adopted for the attention of the Parliament. The draft is based on Art. 132(2) of the Rules of Procedure of the European Parliament, according to which the Parliament may adopt a resolution at the end of a debate – this is what the LIBE requires.
If the draft is adopted, the European Parliament will Against an adequacy decision for the Data Privacy Framework. decide. Similar to noyb’s criticism of the TADPF, the LIBE criticizes the following points in particular:
- key concepts such as proportionality are interpreted differently under U.S. law than under the GDPR;
- the Executice Order 14086 – basis of the TADPF – does not prevent a “bulk collection of data by signals intelligence, including the content of communications” and does not apply to data that U.S. authorities obtain by other means, such as through the U.S. CLOUD Act, voluntary disclosure, data purchase, or other means;
- Data Protection Review Court (DPRC) decisions are not made public;
- the DPRC is part of the executive branch;
- Affected persons before the DPRC are not represented by independent counsel, but by a “Special Advocate.”
- Data subjects are not informed about the processing of their data and have no possibility to claim compensation, for example;
- legal protection against companies participating in the TADPF is insufficient;
- European companies deserve legal certainty (i.e.: not to adopt a TADPF that the ECJ then overturns);
- the U.S. still does not have a federal privacy law;
- the EO is not clear enough and can be changed at any time, by the US President.
Therefore, he said, Parliament should decide as follows:
Concludes that the EU-US Data Privacy Framework fails to create actual equivalence in the level of protection; calls on the Commission to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the CJEU; urges the Commission not to
adopt the adequacy finding;
Instructs its President to forward this resolution to the Council, the Commission and the President and Congress of the United States of America.