With the recent resolution adopted on 11 May 2023, the European Parliament voted against the “Data Privacy Framework”, i.e. the new agreement intended to regulate the transfer of personal data between the European Union and the United States. Already, back on the 14th of February 2023 the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament (LIBE Committee) called on the European Commission not to grant an adequacy decision for the framework especially regarding the level of protection of personal data offered by US legislation, as it is not deemed equivalent in comparison to that guaranteed in the European Union by the GDPR.
The Data Privacy Framework was not the first agreement between the European Union and the United States regarding cross-border data transfers. Actually, already in July the 26th 2000 the European Commission, basing its decision on the “Safe Harbor Framework“, decided that the United States offered sufficient guarantees of adequacy for data protection. That agreement included data protection principles that US companies were expected to respect in order to legitimately carry out data transfers with the European Union. This agreement, however, ceased following a ruling by the European Court of Justice, which on 6 October 2015 declared the Commission’s former decision on the adequacy of the “Safe Harbor Framework” invalid.
The second agreement, known as the “Privacy Shield“, was signed between the European Commission and the US Department of Commerce on the 12th of July 2016, with the aim of guaranteeing the confidentiality of EU citizens’ personal data in the event that it had been transferred to the United States for commercial purposes. This agreement obliged US companies to safeguard the personal data of EU citizens, strengthening the powers of the US Department of Commerce and the Federal Trade Commission. Privacy Shield foresaw in essence, stricter obligations for US companies when processing the data of European citizens, greater supervisory and control power by the Department of Commerce, but above all the establishment of a Mediator in the event of complaints regarding the access to data by the national intelligence authorities. This guaranteed the right, to all EU citizens and to the data protection authorities of the individual EU member states, to appeal when the provisions of the agreement were deemed to have been violated.
That agreement however, also ended with the historic “Schrems II” ruling of the 16th of July 2020: With this decision, the Court of Justice of the European Union (CJEU) declared the “Privacy Shield” invalid for two reasons: First, the surveillance checks provided by the US government did not comply with the provisions of the GDPR and the Charter of Fundamental Rights of the European Union; Second, effective independence and autonomy of the Ombudsman from the US government were not guaranteed, thus creating a situation which would have rendered any decision on complaints questionable.
Due to the intensification of relations between the EU and the United States, the new agreement between the parties, the “Data Privacy Framework“, may have been expected to have been enforced quickly , but Members of the European Parliament (MEPs) expressed concerns on the matter, based on the conviction that the level of protection of personal data offered by US legislation is not equivalent to that guaranteed by the GDPR. Another critical issue identified by the European Parliament concerns the secrecy of decisions of the specifically established Court (“Data Protection Review Court” or “DPCR”), regarding possible violations of citizens’ right to access and rectify their data ; furthermore , Parliament raised doubts in connection with the true independence of the aforementioned Tribunal, given that the President of the United States has the power to invalidate such decisions.
In short, the most important problem between the European Union and the United States when it comes to data protection is the regulatory divergence which is quite substantial, including the fact that the United States have to deal with a rather fragmented privacy legislation and, therefore, cannot guarantee a uniform level of protection in all of it’s States.
Undoubtably, the recent resolution of the European Parliament with reference to the “Data Privacy Framework” highlights the clear intention of the European Union to guarantee elevated standards of protection of personal data, and of its citizens rights .