The European Parliament adopted a Resolution on 11 May 2023 against the adoption of an EU adequacy decision for the US based on the EU-US Data Privacy Framework (DPF). The Resolution comes after an analysis by the European Parliament of the Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities (EO 14086), which was adopted in the US in order to implement the DPF (for more details, see our previous Legal Update).
The European Parliament took the view that the EU-US DPF fails to create essential equivalence in the level of protection as compared to the European framework. In the European Parliament’s view, EO 14086 does not provide sufficient safeguards for the transfer of personal data from the EU to the US, considering the below aspects:
- Signals intelligence practices in the US are still considered too broad, as they allow the collection of personal data in bulk, including the content of communications. EO 14086 contains safeguards with regard to bulk collection of data, but such collection is not subject to an independent prior authorization, which is required in order to limit US intelligence activities, as pointed out by the European Data Protection Board in its opinion about the DPF. The European Parliament expressed concern that US authorities would by this means get access to data they would otherwise have been prohibited from accessing;
- European citizens are not able to seek effective legal remedy in the European Parliament’s view. Although a redress mechanism has been created for European citizens under the EO 14086, the decision of the competent authority is not intended to be made public, so that the data subject filing the complaint would not have the possibility to appeal the decision or claim damages.