EU Parliament: Why MEPs rejected the Data Privacy Framework in committee

The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) published a Draft Motion for a Resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework (DPF).

What does the Draft Motion for a Resolution say?

The draft concludes that the EU-US Data Privacy Framework fails to provide the adequate level of protection required by EU data protection law as interpreted by the Court of Justice, and urges the Commission not to adopt the adequacy decision and to continue negotiations with the US government.

In its argumentation, the draft articulates the concerns, expressed by multiple data protection authorities and privacy activist groups:

• The principles of proportionality and necessity have different definitions and interpretation in EU and US laws;
• The US Executive Order (EO) does not prohibit the bulk collection of data by public authorities;
• The EO does not apply to data accessed by public authorities via other means, e.g. US Cloud Act or the US Patriot Act, by commercial data purchases, or by voluntary data sharing agreements;
• The redress process does not provide for sufficient transparency and impartiality;
• Unlike all other countries that have received adequacy decisions under GDPR, the US does not have a federal privacy law;
• The EO can be amended at any time by the US president;
• EU businesses deserve legal certainty, whereas data transfer mechanisms, subject to legal challenges and repeals, lead to continuing uncertainty and additional costs.

What are the next steps for the EU-US Data Privacy Framework?

The time between the adoption of the Draft Motion for a Resolution by the Committee and its vote in the plenary session can range from a few weeks to several months.
The final vote by the Parliament is reportedly expected mid-April, while the separate EDPB non-binding opinion, which will likely be critical towards the DPF as well, is expected to be adopted even earlier.

If a qualified majority of EU member states votes in favour of the adequacy decision, it could be finalised by July at the earliest.

All of this is yet another clear indication that the legal uncertainty for businesses with respect to transatlantic data flows is here to stay, even if a potential adequacy decision is eventually adopted.