General Data Protection Regulation (GDPR) , Standards, Regulations & Compliance
European Parliament Rejects EU-US Data FrameworkNonbinding Vote Urges European Commission to Re-Open Negotations With US
Lawmakers called on the European Commission to reject a draft legal framework facilitating trans-Atlantic commercial data flows in a nonbinding vote by the European Parliament.
See Also: Handling Open-Source Content Licensing: Wrong Answers Only
A majority of the legislative body said a pact dubbed the EU-U.S. Data Privacy Framework, finalized last fall after nearly two years of negotiations between Brussels and Washington, fails to protect European citizens from American bulk online surveillance (see: President Biden to Sign Order for Trans-Atlantic Data Flows).
The parliament voted Thursday 306-27, with 231 abstentions, for a resolution calling on the commission to re-open negotiations with the United States.
"The EU-U.S. Data Privacy Framework fails to create essential equivalence in the level of protection," the resolution states. The outcome of Thursday's vote was widely expected and came months after the European Data Protection Board similarly criticized the framework.
"This new proposal contains significant improvements, but unfortunately, we are not there yet. There are still missing elements on judicial independence, transparency, access to justice, and remedies," said Juan Fernando López Aguilar, a Spanish member of the parliament who chairs the Committee on Civil Liberties, Justice and Home Affairs.
Europe's executive body in December adopted a draft decision accepting the framework, paving its way for formal ratification.
EU Justice Commissioner Didier Reynders defended the agreement in a Thursday tweet, stating the framework "brings solid safeguards and legal certainty."
"We now have a robust framework that will create global convergence in safe dataflows," Reynders said.
Data transfers outside of Europe, absent specific authorization such as through a contract, require the commission to determine that a foreign country has an adequate level of protection comparable to the General Data Protection Regulation. The framework set out European terms for recognizing the United States as offering adequate protections, including an executive order President Joe Biden signed in October requiring the intelligence community to weigh privacy impacts. Without a framework, the ability of U.S. tech companies such as Facebook and Google to process European's data becomes harder, possibly impossible. Facebook in early 2022 said it would likely have to withdraw from the European market absent a trans-Atlantic data flow framework. A 2021 study commissioned by trade association Digital Europe concluded that a loss of cross-border data flows on exports from data-reliant sectors would lead to an annual reduction in EU gross domestic product of 330 billion euros.
The EU-U.S. Data Privacy Framework is the third attempt by the U.S. and Europe to put in place a commercial data transfer mechanism. The previous two mechanisms, the Safe Harbor Framework and the Privacy Shield, fell in the European Court of Justice to legal challenges initiated by privacy activists.
Jonathan Armstrong, a partner at Cordery Compliance who monitors European privacy law, called today's vote "no surprise." European lawmakers appear to think that the EU-U.S. Data Privacy Framework is vulnerable to another privacy challenge, "and I agree," he said. The framework "isn't likely to be a lasting solution and isn't likely to provide the long-term certainty that both the Commission and the Biden administration say they are looking for."