The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) has advised against signing the proposed US data-transfer pact despite an agreement in principle, on the basis of the adequacy of protection.
EU president Ursula von der Leyen and US president Joe Biden had previously reached an agreement on how data transfer should take place between the US and the EU’s member states in an effort to remain compliant with pre-existing protections, like General Data Protection Regulation (GDPR).
Despite this, LIBE says that the Data Privacy Framework (DPF) doesn’t quite meet the strict standards of the GDPR, and that its progression should be halted until “meaningful reforms were introduced”.
LIBE explains in its draft motion for a resolution
(opens in new tab) that the DPF:
“…Fails to create actual equivalence in the level of protection; [and that it] calls on the Commission to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the [European Court of Justice]”.
It’s also noted that the US does not have a federal law in terms of data protection and that the executive order can be amended at any point by the US president: either Joe Biden or his successor.
Among other findings, the order does not cover data accessed by public authorities via other means, nor does it apply to commercial data purchases or voluntary data sharing agreements.
Whatever format the DPF agreement takes, EU-based companies will be able to share personal data with US companies without needing to consider additional safeguarding measures. However, the precise format of that DPR looks to be a few steps away from being finalized just yet, meaning transatlantic businesses will have to wait even longer.