News
NEW
MEPs are concerned about the proposed EU-US data transfer agreement

Published April 19, 2023
by Melissa Walehiane

min read

Summary

    The resolution adopted this Thursday, April 13, by the MEPs of the Civil Liberties Committee considers that the proposed EU-US data protection framework is an "improvement", but that the progress is "not sufficient" to justify an adequacy decision on personal data transfers.

    Indeed, the adopted resolution argues that the European Commission should not grant the United States an adequacy decision considering that its level of personal data protection is essentially equivalent to that of the EU and allowing transfers of personal data between the EU and the US.

    First, MEPs note that the US legal framework still allows for the bulk collection of personal data in certain cases. In addition, it does not subject bulk data collection to independent prior authorization and does not provide clear rules on data retention.

    MEPs are also unenthusiastic about the appeal mechanism that has been put in place. This is crucial because it is undoubtedly around this fundamental issue that the CJEU will be asked to decide. Previous decisions indicate quite clearly that without a review mechanism, and without an effective remedy, no adequacy decision will pass muster.

    As a reminder, the U.S. framework creates a new supervisory authority and a two-tier appeal mechanism:

    At the first level, EU citizens will be able to file a complaint with the Civil Liberties Protection Officer, who is responsible for overseeing the U.S. intelligence community and ensuring that privacy and fundamental rights are respected by U.S. intelligence agencies.

    At the second level, individuals will be able to appeal the decision of the Civil Liberties Protection Officer to the newly created Data Protection Review Court. This Court will be composed of members appointed from outside the US government on the basis of specific qualifications. 

    The latter will be subject to specific protection in that they can only be dismissed for serious reasons and cannot be instructed by the government.

    The Data Protection Review Court will have the power to investigate complaints from EU data subjects, including obtaining relevant information from intelligence agencies, and will be able to take binding remedial decisions such as deleting data if it deems it necessary.

    Thus, the Commission's rapporteur concluded as follows

     "The new framework is certainly an improvement over the previous mechanisms. However, the work is not finished. We are not convinced that this new framework sufficiently protects the personal data of our citizens, and we therefore doubt that it will survive the test of the CJEU. The Commission must continue to work to address the concerns raised by the European Data Protection Committee and the Civil Liberties Committee, even if it means reopening negotiations with the United States."

     

    Continue the conversation in the Yes We Trust community

    Related Articles
    Our freshest data privacy content for you
    • News

    The United Kingdom introduces a draft reform of its data protection law | Yes We Trust

    March 20, 2023 by Melissa Walehiane

    Read Article

    • News

    Ericsson Fined More Than $200 Million In The US | Yes We Trust

    March 24, 2023 by Melissa Walehiane

    Read Article

    • News

    Cityscoot and the Cnil | Yes We Trust

    March 29, 2023 by Melissa Walehiane

    Cityscoot and the CNIL

    Read Article

    • News

    Apple to now invest in GenAI │Yes We Trust

    October 25, 2023 by Jivika Lillaney

    Apple to now invest in GenAI

    Read Article

    • News

    Microsoft under surveillance | Yes We Trust

    April 4, 2023 by Melissa Walehiane

    Read Article

    • News

    OpenAI will propose corrective measures regarding ChatGPT ban in Italy | Yes We Trust

    April 14, 2023 by Melissa Walehiane

    OpenAI will propose corrective measures regarding ChatGPT ban in Italy

    Read Article