The proposed EU-U.S. Data Privacy Framework (DPF) is starting to look dead on arrival. European MEPs voted 306 to 27 (with 231 abstaining) to accept a resolution that the European Commission should reject granting the U.S. an adequacy decision for the DPF.
While the MEPs recognized that the proposed DPF is an improvement over the EU-U.S. Privacy Shield and its predecessor, the U.S.-EU Safe Harbor, it still suffers from significant problems. In order to provide certainty to organizations, the MEPs believe that the DPF needs to be future-proof so it wont be overturned in court as the Privacy Shield and Safe Harbor frameworks were. Therefore, the assessment of adequacy needs to be based on the practical implementation of the rules and the MEPs feel that the proposed DPF doesn't meet those requirements.
Most notably, the MEPs pointed out that bulk collection of personal information by law enforcement is still not subject to independent prior authorization and there are few rules around data retention.
It was also pointed out that the proposed creation of the Data Protection Review Court (DPRC) is not adequate because its decisions would be secret and EU citizens would not have the right to access and rectify personal data about them. The MEPs also pointed out that the DPRC would not be a truly independent judicial body since the judges on the court serve at the pleasure of the President and could be dismissed at any time. Plus, the President can overrule the decisions of the DPRC, making its decisions subject to the views of the President.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.