IPOL | Policy Department for Citizens’ Rights and Constitutional Affairs
EXECUTIVE SUMMARY Introduction On 16 July 2020 the Court of Justice of the European Union (CJEU) invalidated the Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-US “Privacy Shield” agreement, concerned US government surveillance powers are not limited as required by EU law, and that EU persons do not have effective means of redress. The judgment upheld the validity of standard contractual clauses to allow data transfers under the General Data Protection Regulation (GDPR), but requires data controllers to assess the level of data protection in the recipient’s country and to adopt “supplementary measures” if needed. In this context the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) requested this study on reforms to the legal framework for the exchange of personal and other data between the EU and the USA to ensure EU law requirements are satisfied and EU citizens’ rights are respected.
European data protection standards In the EU, data protection is a fundamental right, enshrined in primary law. While activities of Member State authorities for national security purposes are outside EU competence, national constitutions and the European Convention on Human Rights apply. Moreover, the exemption does not apply to the imposition of legal obligations on private sector organisations, or to non-EU countries. Under the GDPR, personal data can only be freely transferred to countries held by the European Commission to provide “adequate”/“essentially equivalent” protection. Otherwise, “appropriate safeguards” must be adopted by the EU data exporter. A third country’s laws can only be said to provide such protection if they meet the standards set out in the European Data Protection Board (EDPB) Adequacy Referential. And in relation to access to personal data by a third country’s intelligence agencies, its laws can only be said to provide this protection if they meet the standards set out in the EDPB’s European Essential Guarantees for surveillance. Both documents fully reflect the CJEU’s case law.
US privacy and surveillance laws A US Congressional Research Service review found a “patchwork” of federal data protection laws which “primarily regulate certain industries and subcategories of data.” The rather limited protections accorded to “US persons” by the Fourth Amendment are largely non-existent in relation to non-US individuals outside the USA, while “privacy torts” are too limited to even compare to EU data protection concepts. The Federal Trade Commission (FTC) Act gives powers to the FTC to act against “unfair or deceptive acts or practices” by most commercial entities. Companies are bound by their data privacy and security promises, and certain privacy practices are held to be unfair. However, these broad principles cannot be relied on to read all of the many detailed requirements of EU data protection law into US law – in particular, a private right of action. Several broad federal privacy bills have been introduced to Congress since 2019, and the House of Representatives Energy and Commerce Committee staff have produced a “bipartisan discussion draft.” While such legislation would offer very significant improvements in protection of personal data, as currently drafted, none of them achieve “essential equivalence” to the GDPR. Consumer privacy bills have been passed or introduced in dozens of the individual states. California’s Privacy Rights Act (CPRA) (which will enter fully into force in 2023) is closest to the GDPR, but still falls
8
PE 694.678
