The European Data Protection Board has adopted its opinion on the EU’s draft adequacy decision on the EU-US Data Privacy Framework. In summary, the EDPB says that it welcomes substantial improvements such as requirements to comply with the principles of necessity and proportionality for US intelligence gathering of data and the new redress mechanism for EU data subjects.
However, the EDPB has expressed concerns and requested clarifications on several points. These relate to certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and how the redress function will work in practice. The EDPB thinks that both the decision’s entry into force and adoption should depend on the adoption of updated policies and procedures to implement Executive Order 14086 by all US intelligence agencies. The EDPB recommends that the European Commission assesses these updated policies and procedures and shares its assessment with the EDPB.
The draft adequacy decision was published by the European Commission on 13 December 2022. It is based on the EU-US Data Privacy Framework. This is designed to replace the Privacy Shield, which the CJEU said was invalid in the Schrems II judgment. The key component of the Data Privacy Framework is the EU-US Data Privacy Framework Principles, which were issued by the US Department of Commerce. The Data Privacy Framework only applies to US organisations which have self-certified.
The EDPB’s Opinion considers both the commercial aspects and US public authorities’ access and use of data.
On the commercial aspects, the EDPB welcomes the updates made to the Data Privacy Framework Principles. However, it notes that some Principles remain essentially the same as under the Privacy Shield. As such, it still has concerns, for example, relating to some exemptions to the right of access, the absence of key definitions, the lack of clarity about the application of the Data Privacy Framework Principles to processors, the broad exemption to the right of access for publicly available information, and the lack of specific rules on automated decision-making and profiling. The EDPB further reiterates that the level of protection must not be undermined by onward transfers. Therefore, it asks the European Commission to clarify that the safeguards imposed by the initial recipient on the importer in the third country must be effective in light of third country legislation, before an onward transfer.
In addition, the EDPB asks the Commission to clarify the scope of the exemptions to the duty to adhere to the Data Privacy Framework Principles and stresses the important of effective oversight and enforcement of the Data Privacy Framework. The EDPB says it will closely monitor these aspects, together with the effectiveness of the redress avenues provided to EU data subjects whose personal information is processed in breach of the Data Privacy Framework.
The EDPB also considered government access to data to data transferred to the US. It acknowledges the significant improvements brought by Executive Order 14086. The Executive Order introduces the concepts of necessity and proportionality with regard to US intelligence-gathering of data (signals intelligence).
Furthermore, the new redress mechanism creates rights for EU individuals and is subject to the review by the Privacy and Civil Liberties Oversight Board. The Executive Order also enshrines more safeguards aiming to ensure the independence of the Data Protection Review Court, compared to the previous Ombudsperson mechanism, and introduces more effective powers to remedy violations, including additional safeguards for data subjects.
The EDPB highlights that close monitoring is needed concerning the practical application of the newly introduced principles of necessity and proportionality. Further clarity is also necessary regarding temporary bulk collection and the further retention and dissemination of the data collected in bulk.
The EDPB is also concerned about the lack of a requirement for prior authorisation by an independent authority for the collection of data in bulk under Executive Order 12333, as well as the lack of systematic independent review ex post by a court or an equivalently independent body.
Regarding the redress mechanism, the EDPB recognises the additional safeguards provided, such as the role of the special advocates, and the review of the redress mechanism by the Privacy and Civil Liberties Oversight Board. At the same time, the EDPB is concerned about the general application of the standard reply of the Data Protection Review Court notifying the complainant that either no covered violations were identified or a determination requiring appropriate remediation was issued, especially given that this decision cannot be appealed. The EDPB therefore calls on the Commission to closely monitor the practical functioning of this mechanism.
The European Parliament has also been considering the Commission’s draft decision. In February, the Committee on Civil Liberties, Justice and Home Affairs rejected the adequacy decision. It said that it “fails to create actual equivalence in the level of protection” under the GDPR. It said that the European Commission should only adopt a decision when “meaningful reforms were introduced, in particular for national security and intelligence purposes” by the US. It is therefore significant that the EDPB has specifically said that it does not expect the US system to replicate the GDPR.