While the EDPB welcomes advancements in the EU-US Data Privacy Framework, the organisation remains concerned on various points.
The EDPB has recently released a statement welcoming developments under the EU-US data privacy framework. The organisation however has put forward several concerns and requests for clarification. The EDPB welcomes further updates to the principles of the data privacy framework, noting that a number of the principles have not changed since the Privacy Shield. The EDPB therefore invites the European commission to clarify various aspects of this framework.
The EDPB suggests that the Data Privacy Framework should consider access and use of data by both commercial entities and US public authorities.
The draft adequacy decision published in December 2022 by the European Commission is based on the Data Privacy Framework, the principles of which were issued by the US Department of commerce. The Data Privacy Framework is currently only applicable to US organisations which have been self certified. The opinion on this draft decision adopted by the EDPB considers access and use of data by both commercial entities and US public authorities. The EDPB acknowledges the significant improvements introduced by Executive Order 14086, which introduces the concepts of necessity and proportionality with regard to U.S. intelligence-gathering of data. However, the organisation also suggests that close monitoring is needed concerning the practical application of the newly introduced principles of necessity and proportionality.
The EDPB calls on the European Commission for further assessment of recently introduced principles.
With the adoption of updated policies and procedures to implement Executive Order 14086 by all U.S. intelligence agencies, the EDPB believes that close monitoring should be required considering the practical application of the principles recently introduced, for example the principles of necessity and proportionality. The EDPB recommends that the Commission assess these updated policies and procedures and share its assessment with the EDPB for further clarification. In particular, the EDPB believes that the level of protection provided should not be undermined by onward transfers. The EDPB therefore welcomes the European Commission to clarify that the safeguards imposed by the initial recipient in the third country must be effective under the legislation of the third country, prior to an onward transfer. In addition, the EDPB wants clarification on the scope of the exemptions regarding the duty to adhere to the principles of, and stresses the importance of effective oversight and enforcement of the Data Privacy Framework.
The EDPB suggests that after the first review of the adequacy decision, subsequent reviews should be undertaken.
The EDBP suggests periodic reviews of the adequacy decision to ensure its longevity. According to EDPB Chair Andrea Jelinek, “A high level of data protection is essential to safeguard the rights and freedoms of EU individuals. While we acknowledge that the improvements brought to the U.S. legal framework are significant, we recommend to address the concerns expressed and to provide clarifications requested to ensure the adequacy decision will endure. For the same reason, we think that after the first review of the adequacy decision, subsequent reviews should take place at least every three years and we are committed to contributing to them.”