Loading

Blog details

EU-US Data Privacy Framework advancements welcomed by the EDPB, however concerns remain

EU-US Data Privacy Framework advancements welcomed by the EDPB, however concerns remain

While the EDPB welcomes advancements in the EU-US Data Privacy Framework, the organisation remains concerned on various points.

 

The EDPB has recently released a statement welcoming developments under the EU-US data privacy framework. The organisation however has put forward several concerns and requests for clarification. The EDPB welcomes further updates to the principles of the data privacy framework, noting that a number of the principles have not changed since the Privacy Shield. The EDPB therefore invites the European commission to clarify various aspects of this framework.

 

The EDPB suggests that the Data Privacy Framework should consider access and use of data by both commercial entities and US public authorities.

 

The draft adequacy decision published in December 2022 by the European Commission is based on the Data Privacy Framework, the principles of which were issued by the US Department of commerce. The Data Privacy Framework is currently only applicable to US organisations which have been self certified. The opinion on this draft decision adopted by the EDPB considers access and use of data by both commercial entities and US public authorities. The EDPB acknowledges the significant improvements introduced by Executive Order 14086, which introduces the concepts of necessity and proportionality with regard to U.S. intelligence-gathering of data. However, the organisation also suggests that close monitoring is needed concerning the practical application of the newly introduced principles of necessity and proportionality. 

The EDPB calls on the European Commission for further assessment of recently introduced principles.

 

With the adoption of updated policies and procedures to implement Executive Order 14086 by all U.S. intelligence agencies, the EDPB believes that close monitoring should be required considering the practical application of the principles recently introduced, for example the principles of necessity and proportionality. The EDPB recommends that the Commission assess these updated policies and procedures and share its assessment with the EDPB for further clarification. In particular, the EDPB believes that the level of protection provided should not be undermined by onward transfers. The EDPB therefore welcomes the European Commission to clarify that the safeguards imposed by the initial recipient in the third country must be effective under the legislation of the third country, prior to an onward transfer. In addition, the EDPB wants clarification on the scope of the exemptions regarding the duty to adhere to the principles of, and stresses the importance of effective oversight and enforcement of the Data Privacy Framework. 

 

The EDPB suggests that after the first review of the adequacy decision, subsequent reviews should be undertaken.

 

The EDBP suggests periodic reviews of the adequacy decision to ensure its longevity. According to EDPB Chair Andrea Jelinek, “A high level of data protection is essential to safeguard the rights and freedoms of EU individuals. While we acknowledge that the improvements brought to the U.S. legal framework are significant, we recommend to address the concerns expressed and to provide clarifications requested to ensure the adequacy decision will endure. For the same reason, we think that after the first review of the adequacy decision, subsequent reviews should take place at least every three years and we are committed to contributing to them.” 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today. 

Prev post
Guidance on anonymisation from AEPD
February 28, 2023
Next post
Cyber Resilience Act compromise text released by the EU Council
March 7, 2023