17 Amendments of Gwendoline DELBOS-CORFIELD related to 2023/2501(RSP)
Amendment 19 #
Recital J a (new)
J a. whereas, while the US provides for a new mechanism for remedy for issues related to public authorities’ access to data, the remedies available for commercial matters under the adequacy decision are insufficient; notes that these issues are largely left at the discretion of companies which can select alternative remedy avenues such as dispute resolution mechanisms or the use of companies’ privacy programs;
Amendment 28 #
Paragraph 2
2. AcknowledgesTakes note of the efforts made in the EO to lay down limits on US Signals Intelligence Activities, by referring to the principles of proportionality and necessity, and providing a list of legitimate objectives for such activities; points out, however, that these principles are long-standing key elements of the EU data protection regime and that their substantive definitions in the EO are not in line with their definition under EU law and their interpretation by the CJEU; points out, furthermore, that for the purposes of the EU-US Data Privacy Framework, these principles will be interpreted solely in the light of US law and legal traditions; points out that the EO requires that signals intelligence must be conducted in a manner proportionate to the ‘validated intelligence priority’, which appears to be a broad interpretation of proportionality; is concerned that it is not a requirement that analysts conduct a proportionality assessment for each surveillance decision;
Amendment 33 #
Paragraph 3
3. Regrets the fact that the EO does not prohibitstill provides for the bulk collection of data by signals intelligence, including the content of communications; notes that the list of legitimate national security objectives can be expanded by the US President, who can determine not to make the relevant updates public; notes that the EO limits the purposes of bulk collection to twelve legitimate purposes and four prohibited purposes; points out that the EO explicitly provides for amendments and expansion of the legitimate purposes by a secret EO; underlines that already the twelve purposes foreseen now are extremely broad; reminds that in "Schrems II", the Court explained that US surveillance failed to satisfy EU law because it failed to require an “objective criterion” “capable of justifying” the government interference with privacy;
Amendment 41 #
Paragraph 3 a (new)
3 a. Takes note that the draft adequacy decision tries to manoeuvre around this by playing word-games with “bulk” and “mass” surveillance, which does not change the practice of mass surveillance;
Amendment 42 #
Paragraph 3 b (new)
3 b. Does not expect the EO will change the scope of US surveillance in practice; reminds that after Presidential Policy Directive (PPD) 28, which formed the basis for the "Privacy Shield" adequacy decision, the Privacy and Civil Liberties Oversight Board (PCLOB) issued a review report [1] and concluded that PPD-28 had essentially memorialized what the intelligence community was already doing before; expects the same conclusion under the new EO as well; [1] https://documents.pclob.gov/prod/Docume nts/OversightReport/caec5956-e1e4-4d11- a840-6e13114962c1/PPD- 28%20Report%20(for%20FOIA%20Relea se)%20-%20Completed%20508%20- %2012082022.pdf
Amendment 47 #
Paragraph 4 a (new)
4 a. Understands that in the US interpretation, “signals intelligence” covers all data access methods provided for in the Foreign Intelligence Surveillance Act (FISA), including from “remote computing service” providers ad added with the FISA Amendment Act §1881a in 2008; calls on the Commission to clarify the definition and scope of “signals intelligence” in the U.S. legal meaning;
Amendment 50 #
Paragraph 4 b (new)
4 b. Reminds that under FISA Section 702, the U.S. government still claims the power to target any non-U.S. person abroad to obtain foreign intelligence, broadly defined;
Amendment 54 #
Paragraph 5
5. Points out that the decisions of the Data Protection Review Court (‘DPRC’) will be classified and not made public or available to the complainant; points out that the DPRC is part of the executive branch and not the judiciarymeaning that and a person bringing a case will have no chance of being informed about the substantive outcome of the case; points out that the DPRC is part of the executive branch and not the judiciary; its judges are appointed for only four years and can be removed by the US President at will; and the President can overrule its decisions, even in secret; points out that a complainant will be represented by a ‘special advocate’ designated by the DPRC, for whom there is no requirement of independence; points out that the redress process provided by the EO is based on secrecy and does not set up an obligation to notify the complainant that their personal data has been processed, thereby undermining their right to access or rectify their data; notes that the proposed redress process does not provide for an avenue for appeal in a federal court and therefore, among other things, does not provide any possibility for the complainant to claim damages; concludes that the DPRC does not meet the standards of independence and impartiality of Article 47 of the Charter;
Amendment 68 #
Paragraph 8
8. Points out that, unlike all other third countries that have received an adequacy decision under the GDPR, the US still does not have a federal data protection law, and that the federal proposals so far do not meet all the requirements of the GDPR for an adequacy finding; strongly encourages again the US legislator to enact legislation that meets those requirements, and to thereby contribute to ensuring that US law provides an essentially equivalent level of protection to that currently guaranteed in the EU; points out that the EO is not clear, precise or foreseeable in its application, as it can be amended at any time by the US President; is therefore concerned about the absence of a sunset clause which could provide that the decision would automatically expire four years after its entry into force;
Amendment 74 #
Paragraph 8 a (new)
8 a. Notes that the Data Privacy Framework principles issued by the US Department of Commerce have not undergone sufficient amendments, in comparison to those under the Privacy Shield, to provide essentially equivalent protection to that provided under the General Data Protection Regulation (GDPR);
Amendment 75 #
Paragraph 8 b (new)
Amendment 77 #
Paragraph 8 c (new)
8 c. Is concerned about the exemptions for not having to adhere to the DPF Principles; stresses the importance of effective redress, oversight and enforcement;
Amendment 81 #
Paragraph 10
10. Recalls that, in its resolution of 20 May 2021, Parliament called on the Commission not to adopt any new adequacy decision in relation to the US, unless meaningful reforms were introduced, in particular for national security and intelligence purposes; does not consider the Executive Order issued by President Biden on 7nd October 2022 as meaningful enough;
Amendment 82 #
Paragraph 10 a (new)
10 a. Recalls that the European Commission must assess the adequacy of a third country based on legislation and practices in place not only in substance but also in practice as established under Schrems I, Schrems II and the GDPR (recital 104);
Amendment 83 #
Paragraph 10 b (new)
10 b. Notes that while the US is making important commitment to improve access to remedy and rules on data processing by public authorities, the US Intelligence Community has until October 2023 to update their policies and practices in line the commitment of the EO (see adequacy decision recital 120) and that the US Advocate General has yet to name the EU and its Members States as qualifying countries to be eligible to access the remedy avenue available under the DPRC; underlines that this means that the Commission was not able to assess “in practice” the effectiveness of the proposed remedies and proposed measures on access to data; therefore, calls on the Commission to only proceed with next step of any adequacy decision once these deadlines and milestones have first been completed by the US to ensure that the commitments have been delivered in practice; in the event that all aspects are sufficiently addressed, points at the EDPB recommendation to conduct reviews every three years;
Amendment 87 #
Paragraph 11
11. Concludes that the EU-US Data Privacy Framework fails to create actual equivalence in the level of protection; calls on the Commission to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the CJEU; urges the Commission not to adopt the adequacy finding; urges the Commission to not make the same mistake three times;
Amendment 92 #
Paragraph 11 a (new)
11 a. Expects any adequacy decision, if adopted, to be challenged at the Court of Justice again; expects serious consequences within and by the Commission in the predictable scenario that the adequacy decision will again be invalidated by the Court;