Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: LIBE Committee submits draft motion, concludes that EU-US DPF fails to provide equivalent protection

The Civil Liberties, Justice and Home Affairs ('LIBE') Committee of the European Parliament released, on 14 February 2023, a draft motion for the resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework ('the Draft Motion'), concluding that the EU-US Data Privacy Framework fails to provide equivalent protection. 

In particular, the Draft Motion acknowledges the efforts made in the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ('the Executive Order'), regarding referral to principles of proportionality, necessity, and legitimate objectives for these. However, the Draft Motion clarifies that these are long-standing principles in the EU data protection regime, and such principles' definitions in the Executive Order are not in line with their EU counterparts and their interpretation by the Court of Justice of the European Union ('CJEU'). Further, the Draft Motion provides, with regard to the Data Protection Review Court ('DPRC'), that its decisions will be classified, that the DPRC will be part of the executive branch, not the judiciary, and that the redress mechanism does not set up an obligation to notify the complainant that their personal data has been processed. Therefore, the Draft Motion alleges that the DPRC undermines the right to access or to rectify personal data.

In addition, the Draft Motion outlines that European businesses need and deserve legal certainty, stressing that successive data transfer mechanisms, repealed by the CJEU, created additional costs to businesses, and continuing uncertainty is particularly burdensome for micro, small, and medium-sized entities. On commercial matters, the Draft Motion outlines that the remedies for commercial matters under the adequacy decision are insufficient, and that remedies are largely left to the discretion of companies. Movever, the Draft Motion details that unlike other countries which have received an adequacy decision under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the US still does not have a federal data protection law. Accordingly, the Draft Motion points out that the Executive Order is not clear, precise, or foreseeable in its application, and that there are concerns about the absence of a sunset clause, which could provide that a decision would automatically expire after four years after its entry into force.

In light of the above, the Draft Motion concludes that the EU-US Data Privacy Framework fails to create actual equivalence in the level of protection, and urges the Commission not to adopt the adequacy finding. On this point, the Draft Motion calls on the Commission to continue negotiations with the US with the aim of creating a mechanism that would ensure such equivalence and would provide the adequate level of protection required by EU data protection law and the EU Charter of Fundamental Rights, as interpreted by the CJEU.  

You can read the Draft Motion here.