On 28 February 2023, the European Data Protection Board (EDPB) published its non-binding Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the European Union-United States Data Privacy Framework (EU-US DPF).

The EU-US DPF is intended to replace the Privacy Shield, the former legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the EU and the US which was ruled invalid in 2020. When the European Commission adopts its new adequacy decision, participating organisations will be able to use the EU-US DPF Principles to transfer EU personal data to the US in compliance with EU law.

The EDPB acknowledged the significant improvements of the EU-US DPF, such as the integration of necessity and proportionality principles in US intelligence data gathering and the establishment of a new redress mechanism for EU data subjects. However, the EDPB expressed some concerns and requested clarification on specific points, including data subject rights, onward transfers, exemptions, temporary bulk data collection, and practical application of the redress mechanism.

Comments on the commercial aspects of the EU-US DPF

The EDPB has observed that a number of principles that were present under the Privacy Shield remain unchanged. However, it still has multiple reservations including, for example:

• Certain exemptions to the right of access may be too broad, specifically the right of access for publicly available information
• The absence of key definitions
• The lack of clarity about the application of DPF Principles to processors
• The lack of specific rules on automated decision-making and profiling

In addition, the EDPB emphasised that the level of protection for personal data must not be undermined by onward transfers, and therefore, it urged the Commission to clarify that the safeguards put in place by the initial recipient on the importer in the third country must be effective in light of third country legislation, prior to an onward transfer.

Comments on the governmental aspects of the EU-US DPF

The Opinion also recognised the substantial progress made by Executive Order 14086 (EO), signed by President Biden in October, regarding government access to data transmitted to the US. Specifically, the EO introduces the principles of necessity and proportionality concerning US intelligence-gathering of data (signals intelligence). The EDPB proposed that not only the entry into force but also the adoption of the draft decision should be conditional upon updated policies and procedures for implementing EO by all US intelligence agencies. Furthermore, the Opinion recommends that the Commission review these updated policies and procedures and share its evaluation with the EDPB.

Additionally, the new redress mechanism establishes rights for EU individuals and is to be reviewed by the Privacy and Civil Liberties Oversight Board. The EO also establishes further safeguards to guarantee the autonomy of the Data Protection Review Court compared to the previous Ombudsperson mechanism, and introduces more effective powers to address violations, including additional safety measures for data subjects.

The EDPB emphasises the importance of closely monitoring the practical implementation of the newly introduced principles of necessity and proportionality. There is also a need for more precise guidance on temporary bulk collection and the additional retention and dissemination of the data gathered in bulk.

What happens next?

The Opinion acknowledges the positive improvements offered by the EO, particularly the introduction of the principles of necessity and proportionality and the redress mechanism for EU data subjects. However, the EDPB recommends that the Commission address the concerns raised and provide necessary clarifications to strengthen the draft decision and ensure effective monitoring of the framework's implementation and safeguards in future joint reviews.

For organisations wishing to use the EU-US DPF for data transfers, the wait continues, with adoption of the final adequacy decision not expected until later into 2023. For now, the Commission’s next step will be to pass the draft decision to a committee of EU Member State representatives for their approval. Although the Opinion is not binding on the Commission, it may take it into account when preparing the final decision, and it is likely to influence the committee in their upcoming review.

Background

On 13 December 2022, the European Commission released the Draft Adequacy Decision, which relies on the EU-US DPF as a substitute for the invalidated Privacy Shield under the Schrems II ruling by the Court of Justice of the European Union. The key component of the DPF is the EU-US Data Privacy Framework Principles, which were issued by the US Department of Commerce. The DPF is only applicable to US organisations which have self-certified. The EDPB has issued its opinion on the Draft Decision, assessing both commercial and US public authorities' access and use of data. For more information, our blog post can be accessed here.

EDPB’s press release can be found here and the Opinion 5/2023 is here.