The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs has recommended that the European Commission reject the proposed EU-US Data Privacy Framework, which would govern the way in which the personal information of EU citizens is handled by US companies.
The committee's decision — formally, a draft motion for a resolution— represents a rejection of the European Commission’s recommendation, announced in December, that the data privacy framework should be adopted. The recommendation stated that US law now offers an “adequate” level of protection for the personal data of EU users of US companies’ services.
According to the parliamentary committee, however, the proposed data privacy framework doesn’t fully comply with the EU’s General Data Protection Regulation (GDPR), particularly in light of ongoing US policy that would allow for the large-scale, warrantless collection of user data for national security purposes.
An executive order issued by the Biden Administration, the committee said, is insufficient additional protection for several reasons, including the mutability of policy made by executive order — it can simply be reversed or amended by the president at any time — and the inadequacy of the safeguards it provides.
EU Parliament: Data pact with US is 'vague'
In particular, the committee noted, the executive order is too vague, and leaves US courts — who would be the sole interpreters of the policy — wiggle room to approve the bulk collection of data for signals intelligence, and doesn’t apply to data accessed under US laws like the Cloud Act and the Patriot Act.
The parliamentary committee's major points echoed those of many critics of the deal in the EU, as well as the criticsm of the American Civil Liberties Union (ACLU), which has said that the US has failed to enact meaningful surveillance reform.
The committee, in its motion for a resolution, said that “unlike all other third countries that have received an adequacy decision under the GDPR, the US still does not have a federal data protection law."
In short, the committee said that US domestic law is simply incompatible with the GDPR framework, and that no agreement should be reached until those laws are more in alignment. The committee’s negative response this week to the proposed data privacy framework, however, was a nonbinding draft resolution and though it is a sticking point, does not put a formal halt to the adoption process, as its approval was not required to move the agreement along.
It's not a surprise that the committee issued a negative recommendation, according to Lartease Tiffith, executive vice president for public policy at the Interactive Advertising Bureau, which has supported the draft framework.
"It has a particular point of view on all issues related to privacy and civil liberties," he said. "We will have to see what the [European Commission] decides."