16 Amendments of Lena DÜPONT related to 2023/2501(RSP)
Amendment 2 #
Citation 14
— having regard to the Adequacy Referential of the Article 29 Working Party (WP 251 rev.01) as endorsed by the European Data Protection Board (EDPB), to the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, and to the EDPB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures,
Amendment 3 #
Recital A
A. whereas in the ‘Schrems I’ judgment, the Court of Justice of the European Union (CJEU) invalidated the Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce9, and pointed out that indiscriminate access by intelligence authorities to the content of electronic communications violates the essence of the fundamental right to confidentiality of communications provided for in Article 7 of the Charter; whereas the Court pointed out that, for the purpose of an adequacy decision, a third country does not have to ensure an identical, but "essentially equivalent" level of protection to that guaranteed in EU law, which may be ensured through different means; _________________ 9 OJ L 215, 25.8.2000, p. 7.
Amendment 7 #
Recital E
E. whereas, when examining the level of protection afforded by a third country, the Commission is obliged to assess the content of the rules applicable in that country deriving from its domestic law or its international commitments, as well as the practice designed to ensure compliance with those rules; whereas, if such assessment were to be found unsatisfactory in terms of adequacy and equivalence, the Commission should refrain from establishing an adequacy decision since it is conditional to the implementation;
Amendment 14 #
Recital H
H. whereas mass surveillance, including the bulk collection of data, by state actors is detrimental to the trust of European citizens and businesses in digital services and, by extension, in the digital economy;
Amendment 15 #
Recital H a (new)
H a. whereas previous jurisprudence of the European Court of Human Rights acknowledges that bulk interception to protect national security and other essential national interests against serious external threats is not prohibited, and States enjoy a margin of appreciation in deciding what type of interception regime is necessary;
Amendment 18 #
Recital J
J. whereas there is no federal privacy and data protection legislation in the United States (US); whereas the EU and the US have differing definitions of key data protection concepts such as principles of necessity and proportionalitynew EO introduces definitions of principles of necessity and proportionality in line with those used in the EU legal system;
Amendment 21 #
Paragraph 1
1. Recalls that privacy and data protection are legally enforceable fundamental rights enshrined in the Treaties, the Charter and the European Convention of Human Rights, as well as in laws and case-law; emphasises that they must be applied in a manner that does not unnecessarily hamper trade or international relations, but can be balanced only against other fundamental rights and not against commercial or political interests; whereas, according to consolidated case law of the Court of Justice of the European Union and the European Court of Human Rights, fundamental rights can be balanced against objectives of general interest, such as the protection of national security, provided that any limitation to the rights and freedoms of individuals is necessary and proportionate to meet such objectives;
Amendment 27 #
Paragraph 2
2. Acknowledges the efforts made in the EO to lay down limits on US Signals Intelligence Activities, by referring to the principles of proportionality and necessity, and providing a list of legitimate objectives for such activities; points out, however, that these principles which are long- standing key elements of the EU data protection regime and that their substantive definitions in the EO are not in line with their definition under EU law and their interpretation by the CJEU; points out, furthermore, that for the purposes of the EU-US Data Privacy Framework, these principles will be interpreted solely in, will have to be operationalised and implemented, in the policies and procedures of US intelligence agencies within one year; notes that the EU lists 12 legitimate objectives that may be pursued when conducting signals intelligence collection and 5 objectives for which signals intelligence collection is prohibited; notes that the lighst of US law and legal traditionslegitimate national security objectives can be expanded by the US President, who can determine not to make the relevant updates public; points out that the EO requires that signals intelligence must be conducted in a manner necessary and proportionate to the ‘validated intelligence priority’, which appears to be a broad interpretation of proportionality; further justifies the purpose for which intelligence collection may take place;
Amendment 35 #
Paragraph 3
3. Regrets the fact that the EO does not prohibitNotes that the EO allows the bulk collection of data by signals intelligence, including the content of communications; notes that the list of legitimate national security objectives can be expanded by the US President, who can determine not to make the relevant updates publicreminds that the EO provides that targeted collection should be prioritized over bulk collection; notes that, while the EO contains several safeguards in case of bulk collection, it does not provide for independent prior authorisation for bulk collection, which is also not foreseen under EO 12333;
Amendment 46 #
Paragraph 4
Amendment 51 #
Paragraph 5
5. Points out that the decisions of the Data Protection Review Court (‘DPRC’) will be classified and not made public or available to the complainant; points out that the DPRC is part of the executive branch and not the judiciary; points outis part of the executive branch and not the judiciary; notes, however, that only an administrative body within executive branch can enjoy both requisite independence and overcome standing requirement applicable to US federal courts; considers that EO 14086 foresees several guarantees to ensure the independence of DPRC judges, as also recognised by the EDPB in its opinion; calls on the Commission to closely monitor the application of these safeguards for independence in practice; recognises that the DPRC will adopt reasoned decision; notes, however, that the decisions of the DPRC will be classified and not made public; notes that athe complainant will be represented by a ‘special advocate’ designated by the DPRC, for whom there is no requirement of independenceinformed that "the review either did not identify any covered violations or the DPRC issued a determination requiring appropriate remediation"; points out that the redress process provided by the EO is based on secrecy and does not set up an obligation to notify the complainant that their personal data has been processed, thereby undermining their right to access or rectify their data; notes that the proposed; notes, however, that the complainant will be notified if the information included in the decision of the DPRC has been declassified; points out that a complainant will be redpress processented by a ‘special advocate’ does not provide for an avenue for appeal in a federal court and therefore, among other things, does not provide any possibility for the complainant to claim damages; concludes that the DPRC does not meet the standards of independence and impartiality of Article 47 of the Charter; ignated by the DPRC; points out that the DPRC has the power to access all necessary information and to remedy violations (e.g. to order the deletion of data); notes that the PCLOB will independently review the functioning of the new redress mechanism; points out that the new redress mechanism does not allow for the US Attorney General to dismiss and supervise the DPRC Judges; calls on the Commission to closely monitor this new framework;
Amendment 58 #
Paragraph 6
6. Notes that, while the US has provided for a new mechanism for remedy for issues related to public authorities’ access to data, the remedies available for commercial matters under the adequacy decision are insufficient; notes that these issues are largely left to the discretion of companies, which can select alternative remedy avenues such as dispute resolution mechanisms or the use of companies’ privacy programmemain the same; calls on the Commission to closely monitor the effectiveness of these redress mechanisms;
Amendment 65 #
Paragraph 7
7. Notes that European businesses need and deserve legal certainty; stresses that successive data transfer mechanisms, which were subsequently repealed by the CJEU, created additional costs for European businesses; notes that continuing uncertainty and the need to adapt to new legal solutionserefore the need to ensure legal certainty and avoid a situation that is particularly burdensome for micro, small and medium- sized enterprises; regrets that the lack of an adequacy decision increases financial and administrative burden;
Amendment 69 #
Paragraph 8
8. Points out that, unlike all other third countries that have received an adequacy decision under the GDPR, the US still does not have a federal data protection law; points outacknowledges that the EO is not clear, precise or foreseeable in its application, as it can be amended at any time by the US President; is therefore concerned about the absence of a sunset clause which could provide that the decision would automatically expire four years after its entry into forcecan be amended by the US President; expects therefore the Commission to suspend the decision, in case the President decides to restrict the safeguards included in the EO; notes that the review of the adequacy finding will take place after one year from the date of the notification of the adequacy decision to the Member States and subsequently at least every four years; calls on the Commission to carry out the subsequent reviews at least every three years, as requested by the EDPB in its opinion;
Amendment 84 #
Paragraph 11
Amendment 91 #
Paragraph 11 a (new)
11 a. Calls on the Commission to assure EU businesses and citizens that the adequacy decision will provide a solid, sufficient and future-oriented legal basis for EU-US data transfers; underlines the importance of making sure that this adequacy decision will be deemed acceptable if reviewed by the CJEU and stresses that recommendations made in the EDPB opinion should therefore be taken on board;