Summary
The resolution adopted this Thursday, April 13, by the MEPs of the Civil Liberties Committee considers that the proposed EU-US data protection framework is an "improvement", but that the progress is "not sufficient" to justify an adequacy decision on personal data transfers.
Indeed, the adopted resolution argues that the European Commission should not grant the United States an adequacy decision considering that its level of personal data protection is essentially equivalent to that of the EU and allowing transfers of personal data between the EU and the US.
First, MEPs note that the US legal framework still allows for the bulk collection of personal data in certain cases. In addition, it does not subject bulk data collection to independent prior authorization and does not provide clear rules on data retention.
MEPs are also unenthusiastic about the appeal mechanism that has been put in place. This is crucial because it is undoubtedly around this fundamental issue that the CJEU will be asked to decide. Previous decisions indicate quite clearly that without a review mechanism, and without an effective remedy, no adequacy decision will pass muster.
As a reminder, the U.S. framework creates a new supervisory authority and a two-tier appeal mechanism:
At the first level, EU citizens will be able to file a complaint with the Civil Liberties Protection Officer, who is responsible for overseeing the U.S. intelligence community and ensuring that privacy and fundamental rights are respected by U.S. intelligence agencies.
At the second level, individuals will be able to appeal the decision of the Civil Liberties Protection Officer to the newly created Data Protection Review Court. This Court will be composed of members appointed from outside the US government on the basis of specific qualifications.
The latter will be subject to specific protection in that they can only be dismissed for serious reasons and cannot be instructed by the government.
The Data Protection Review Court will have the power to investigate complaints from EU data subjects, including obtaining relevant information from intelligence agencies, and will be able to take binding remedial decisions such as deleting data if it deems it necessary.
Thus, the Commission's rapporteur concluded as follows:
"The new framework is certainly an improvement over the previous mechanisms. However, the work is not finished. We are not convinced that this new framework sufficiently protects the personal data of our citizens, and we therefore doubt that it will survive the test of the CJEU. The Commission must continue to work to address the concerns raised by the European Data Protection Committee and the Civil Liberties Committee, even if it means reopening negotiations with the United States." |