Listen
to
this
post
On
May
11,
2023,
at
a
plenary
session,
the
European
Parliament
voted
to
adopt
a
resolution
on
the
adequacy
of
the
protection
afforded
by
the
EU-U.S.
Data
Privacy
Framework
(the
“Framework”)
which
calls
on
the
European
Commission
(the
“Commission”)
to
continue
negotiations
with
its
U.S.
counterparts
with
the
aim
of
creating
a
mechanism
that
would
ensure
equivalence
and
provide
the
adequate
level
of
protection
required
by
EU
data
protection
law.
The
text
was
adopted
with
306
votes
in
favor,
27
against
and
231
abstaining.
This
resolution
follows
the
draft
motion
(summary
available
here)
which
was
published
in
February
2023
and
urged
the
Commission
not
to
adopt
adequacy
based
on
the
Framework.
Key
takeaways
from
the
resolution
are:
-
Parliament
is
“concerned”
that
if
the
Framework
is
adopted,
it
could
be
invalidated
by
the
Court
of
Justice
of
the
European
Union
(the
“CJEU”),
like
its
predecessors,
which
could
lead
to
a
“continuing
lack
of
legal
certainty,
further
costs
and
disruption
for
European
citizens
and
businesses.”
-
Parliament
takes
note
of
the
“efforts”
made
in
the
EO
14086
and
“stresses”
that
the
EO
“provides
for
significant
improvements
aimed
at
ensuring
that
these
principles
are
essentially
equivalent
under
EU
law.”
However,
it
goes
on
to
opine
that
the
principles
contained
in
the
EO
as
to
proportionality
and
necessity
are
“not
in
line”
with
the
definitions
of
such
under
EU
law,
nor
the
interpretations
of
such
by
the
CJEU.
-
Parliament
“shares
the
EDPB’s
concerns
over
EO
14086’s
failure
to
provide
sufficient
safeguards
in
the
case
of
bulk
data
collection.”
It
points
particularly
to
the
“specific
concern”
that
without
further
restrictions
on
dissemination
to
U.S.
authorities,
law
enforcement
authorities
would
be
able
to
access
data
they
would
otherwise
have
been
prohibited
from
accessing.
It
also
shares
other
concerns
expressed
by
the
EDPB
including
regarding
the
rights
of
data
subjects,
the
lack
of
clarity
about
the
application
of
the
principles
to
processors
and
the
need
to
avoid
onward
transfers
undermining
the
level
of
protection.
-
Parliament
requests
that
EU
citizens
have
the
same
rights
and
privileges
as
U.S.
citizens
with
regards
to
surveillance
and
effective
judicial
redress.
-
In
discussing
the
proposed
new
redress
mechanism,
the
Data
Protection
Review
Court
(the
“DPRC”),
Parliament
notes
several
concerns
which
it
calls
on
the
Commission
to
address
in
negotiations
with
the
U.S.,
for
example
that
decisions
of
the
DPRC
would
be
classified
and
not
public
or
available
to
the
complainant,
and
that
certain
elements
of
the
DPRC
lack
independence.
-
Parliament
concludes
that
the
Framework
“fails
to
create
essential
equivalence”
and
calls
on
the
Commission
to
continue
its
negotiations
with
the
U.S.
on
the
Framework
and
to
not
adopt
an
adequacy
finding
until
all
the
recommendations
made
in
the
resolution
and
the
EDPB
opinion
are
fully
implemented.
It
further
calls
on
the
Commission
to
“act
in
the
interest
of
EU
businesses
and
citizens
by
ensuring
that
the
proposed
framework
provides
a
solid,
sufficient
and
future-oriented
legal
basis
for
EU-U.S.
data
transfers”.
It
notes,
finally,
that
if
an
adequacy
decision
is
adopted
and
invalidated
again
by
the
CJEU,
this
would
a
failure
to
protect
EU
citizens’
rights
and
would
be
the
responsibility
of
the
Commission.
This
resolution
is
not
binding
on
the
Commission
but
it
will
be
taken
into
account
by
the
Commission
when
considering
the
Framework,
along
with
the
opinion
of
the
EDPB,
as
referenced
by
Parliament.