On February 28, 2023, the European Data Protection Board (“EDPB“) published its non-binding opinion on the European Commission’s draft adequacy decision for the EU-U.S. Data Privacy Framework (“DPF“). As we have previously written, the DPF is intended to re-establish one of the legal mechanisms for transfers of personal data from the European Union (“EU“) to the U.S. The DPF replaces the EU-U.S. Privacy Shield (“Privacy Shield“), which the EU Court of Justice (“CJEU“) invalidated in its July 2020 Schrems II decision. The EDPB’s opinion examines U.S. administrative procedural changes, government access and use of personal data transferred to the U.S., and the implementation of the draft adequacy decision. In the opinion, the EDPB recognized substantial improvements in the DPF when compared to the Privacy Shield, but it raised concerns and noted aspects that require further clarification. While the EDBP’s opinion is non-binding, it does carry political weight in the approval process for the new DPF. It will likely be considered together with the European Parliament’s recent recommendation from February 2023, urging the European Commission to seek a stronger framework. Despite these concerns, the European Commission is still expected to finalize the DPF later this year.
- The EDPB recognized significant improvements brought by U.S. Executive Order 14086, which introduced redress mechanisms and principles of necessity and proportionality around the gathering of intelligence data by the U.S. government. However, the EDPB notes that the adoption of the adequacy decision should be made conditional on the adoption of policies that implement Executive Order 14086 by all U.S. intelligence agencies.
- The EDPB noted that further clarification is necessary around bulk data collection and dissemination. The EDPB expressed concern over the lack of requirements for prior authorization by an independent authority for bulk data collection.
- The EDPB noted substantial improvements from Privacy Shield, regarding the powers of the Data Protection Review Court (“DPRC“). However, they note that the “general application of the standard response” by the DPRC may not effectively address rights of individuals and considerations of national security.
- The EDPB also noted there is a lack of clarity on the application of DPF principles to data processors, that the exceptions to the right to access may be too broad, and that additional safeguards are necessary regarding automated decision-making.
- The EDPB emphasized the importance of effective oversight and enforcement of the DPF and recommended reviews of the adequacy decision at least every three years.
The DPF must now obtain the green light from a committee of EU Member State representatives. Additionally, the European Parliament may exercise its right of scrutiny over adequacy decisions. While the EDPB opinion is not binding, it will likely influence both Member State representatives and the European Parliament. Once these steps are completed, the European Commission can proceed with adopting the adequacy decision. As discussed above, the DPF would allow personal data to flow between the EU and participating U.S. companies certified by the Department of Commerce under the new framework. As with Privacy Shield, participating companies will undertake a self-certification process.