European Data Protection Board opinion on the draft adequacy decision for the EU-US Data Privacy Framework

Thanks to Marco Boscariol for collaborating on this article

On February 28, 2023, the European Data Protection Board (the “EDPB”) published its opinion (the “EDPB Opinion”) on the European Commission Draft Implementing Decision (the “Draft Decision”) on the adequate protection of personal data under the EU-US Data Privacy Framework, based on the new privacy rules introduced in the United States with Executive Order 14086.

The Draft Decision

The Draft Decision (available here) was published by the European Commission on December 13, 2022, pursuant to Article 45 of the GDPR. In the Draft Decision, the Commission concluded that the EU-US Data Privacy Framework provided safeguards comparable to those granted under EU law, because

  • any interference with individuals’ fundamental rights in the public interest is limited to the strictly necessary; and
  • effective legal protection against such interference is provided.

Once adopted, it will enable the transfer of data to the United States, following invalidation of the previous adequacy decision on the EU-US Privacy Shield by the Court of Justice of the European Union.

The EDPB Opinion

The EDPB Opinion constitutes the first step in the process of adopting the adequacy decision on the EU-US Data Privacy Framework.

Overall, the EDPB acknowledged substantial improvements over the Privacy Shield, but at the same time it noted some concerns and requested clarification on certain points, namely:

  • General concerns: The EDPB called for more context regarding U.S. legislation in the Draft Decision, which is frequently referenced in the EU-US Data Privacy Framework. According to the EDPB, there is lingering uncertainty as to the effectiveness of the scope of the obligations set forth in the EU-US Data Privacy Framework. Additionally, the EDPB noted a general lack of clarity throughout the document, in part due to inconsistent terminology.

Additionally, the EDPB stressed the need to define terms and concepts that may be interpreted differently in the EU and the United States. The EDPB also mentioned critical issues regarding an individual’s right of access, right of object, and right not to be subject to decisions based solely on automated processing.

There is also concern regarding dissemination of data to U.S. authorities that would enable them to obtain data that they would not have been allowed to collect directly. Similar criticism concerns onward transfers, i.e., dissemination to additional recipients outside the U.S. government, including foreign governments and international organizations. Indeed, the lack of controls on onward transfers may undermine the level of protection ensured by original recipients in the United States.

  • Enforcement mechanisms: The EDPB reiterated concerns regarding the (self) certification mechanism provided by the EU-US Data Privacy Framework. According to the EDPB, under the Privacy Shield this mechanism proved to be ineffective (as a mere formality). The EDPB therefore called for effective oversight as part of periodic reviews.
  • Redress mechanisms: The EDPB considered the new redress mechanisms a significant improvement over the previous mechanisms under the Privacy Shield. Nevertheless, the EDPB stressed the need to assess the genuine independence of the two relevant bodies, the Privacy and Civil Liberties Oversight Board and the Data Protection Review Court, as well as the need for the European Commission to monitor the functioning of these mechanisms.
  • Access and use of personal data by U.S. public authorities: The EDPB praised the introduction of the concepts of necessity and proportionality into the U.S. legal framework on signals intelligence, which shall now be conducted only to the extent necessary for validated intelligence priority collection and only to the extent and in a manner proportionate to that priority.

However, the EDPB noted that the requirements set forth in Executive Order 14086 need to be further implemented by U.S. agencies. Therefore, the EDPB recommended that the European Commission make the adoption of the final decision conditional upon implementation of Executive Order 14086 by U.S. agencies. The EDPB also called for clarification regarding the retention rules applicable to personal data.

The EDPB also looked at bulk collection of personal data. As this involves large quantities of data collected indiscriminately, it presents greater risk for individuals than targeted collection and thus requires additional safeguards. The EU-US Data Privacy Framework provides that data collected in bulk shall be used in pursuit of one or more of six listed objectives, but the EDPB noted that that form of collection remains largely accessible. Moreover, the EDPB demanded introduction of specific safeguards for automated decision-making and profiling, namely to ensure purpose limitation, prior independent authorization, rules on data retention, and safeguards regarding dissemination.

The EDPB also stressed the need to verify accurately the number and scope of exemptions from the duty to adhere to the principles set out in the EU-US Data Privacy Framework, which may reduce the effectiveness of its safeguards. Additionally, the EDPB called for greater clarity regarding implementation and function of the principles of proportionality, purpose limitation, and necessity (for instance, in the context of application of FISA Section 702).

  • Periodic reviews: The EDPB suggested that the Commission carry out periodic reviews of the adequacy decision every three years.

Next steps for the draft adequacy decision

The EDPB Opinion marked the first step in the process of adopting the adequacy decision on the EU-US Data Privacy Framework. Another step has already been taken: the European Parliament Committee on Civil Liberties, Justice and Home Affairs has expressed its opinion as well. It challenged the assessment carried out in the Draft Decision, stating that the EU-US Data Privacy Framework does not ensure an adequate level of protection. The full Parliament vote on the resolution on the adequacy of protection afforded by the EU-US Data Privacy Framework is expected to take place in the coming months. We will see then how much weight the Commission gives to these non-binding opinions as part of the process of adopting the Draft Decision.

Seguici su