This article is more than 1 year old

EU lawmakers argue against signing US data-transfer pact

Committee: Something about complaints process being dealt with in total secrecy doesn't sit right

Lawmakers in the European Parliament have urged the European Commission not to issue the "adequacy decision" needed for the EU-US Data Privacy Framework (DPF) to officially become the pipeline for data to freely flow from the EU to the States.

It almost goes without saying that the current operation of the technology sector in Europe would not work without US tech companies' services – so data transfers to these American corporations cannot practicably be avoided. However, European rules around privacy, data collection, and data subjects' rights are considerably stronger than those in America, hence the need for rules of engagement that make US companies' treatment of EU data as good as what they'd get at home.

The DPF was announced in March last year and is meant to address concerns raised by the EU's Court of Justice in Schrems II, a 2020 case that struck down the so-called Privacy Shield data protection arrangements between the political bloc and the US.

EU president Ursula von der Leyen and US president Joe Biden said they'd reached an agreement in principle on the framework for transatlantic data flows at the time, with Biden signing an executive order (EO) on the matter in October last year.

But the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) is still not happy with what it sees, and has put out a nonbinding draft opinion [PDF] on how adequate it thinks the protection given by the proposed cross-border data rules is. In short: it ain't.

According to the motion filed this week, the latest Data Privacy Framework still falls far short of the General Data Protection Regulation standard EU residents could expect from companies that are regulated within the bloc. The Committee says that "unless meaningful reforms were introduced," the Commish shouldn't proceed. Tech lawyer Neil Brown of decoded.legal told The Register that "In other words... no amount of paperwork will overcome what they perceive to be aspects of US law which they consider to be incompatible with the EU GDPR."

LIBE said the rejigged rules did not have the robust government surveillance safeguards and consumer redress mechanisms that it would expect in order "to create actual equivalence in the level of protection" provided to EU residents' transferred data.

Among other issues, it pointed to:

  • the fact that [US President Biden's] EO does not prohibit the bulk collection of data by signals intelligence, including the content of communications; and
  • notes that the list of legitimate national security objectives can be expanded by the US President, who can determine not to make the relevant updates public;

The committee also pointed out that "unlike all other third countries that have received an adequacy decision under the GDPR, the US still does not have a federal data protection law." That matters when principles around any "limits" imposed on US SigInt work "will be interpreted solely in the light of US law and legal traditions," it said.

The DPF has provided for a several redress mechanisms. Among other things, Europeans can lodge grievances with the Data Protection Review Court (DPRC) if they believe their personal data was collected in violation of applicable US law.

However, the committee found, the "redress process provided by the EO is based on secrecy and does not set up an obligation to notify the complainant that their personal data has been processed, thereby undermining their right to access or rectify their data."

It also found the DPRC didn't meet the standards of impartiality or independence under the EU's Fundamental Rights charter as the "complainant will be represented by a 'special advocate' designated by the DPRC, for whom there is no requirement of independence," and also that there was no route for federal appeal for the data subject.

If it passes all the European Union hurdles, an adequacy decision for the DPF could be expected around July 2023. Once it is adopted, European businesses will be able to transfer personal data to "participating companies in the United States, without having to put in place additional data protection safeguards."

But is that going to happen? Brown told The Register: "My feeling ... is that there would be scepticism of any US-issued edict, which failed to prohibit bulk collection (and such a prohibition seems highly unlikely), or which permits secret interpretations / expansions of the law." ®

More about

TIP US OFF

Send us news


Other stories you might like