The EDPB’s verdict on the draft adequacy decision (the EU-US Data Privacy Framework or DPF) is in!
The tone is more measured than the European Parliament Committee on Civil Liberties, Justice and Home Affairs draft resolution (which was quite damning!) with a more sympathetic approach to the improvements introduced by the executive order made last year.
The EDPB made a general point that the DPF is not easy to understand and follow given the number and structure of annexes, missing definitions, consistency in terminology etc. The following matters were pulled out in the executive summary of the report:
General data protection issues
- Some issues of concern raised in relation to Privacy Shield remain valid. In particular, these relate to “the rights of data subjects (e.g. some exceptions to the right of access and the timing and modalities for the right to object), the absence of key definitions, the lack of clarity in relation to the application of the DPF principles to processors, and the broad exemption for publicly available information.”
- The EDPB invites the Commission once again to clarify that, in relation to onward transfers from the US, the safeguards imposed by the entity in the US on the onward transferee need to be effective in light of the transferee country legislation.
- The EDPB maintains that, especially in light of the increasing use of AI, specific rules concerning automated decision-making are needed in order to provide sufficient safeguards, including “the right for the individual to know the logic involved, to challenge the decision and to obtain human intervention when the decision significantly affects him or her.”
- The EDPB notes the importance of effective oversight and enforcement of the DPF and considers that compliance checks are crucial.
- The EDPB notes that there are redress avenues available to EU data subjects, if their personal data are processed in violation of the adequacy decision, but that issues had been raised with these by WP29 previously.
Access to personal data by public authorities
- On a positive note, the EDPB recognised that the additional safeguards introduced by Executive Order EO 14086 are a significant improvement.
- The EDPB recommends that adoption of the DPF should be conditional on (amongst other things) “the adoption of updated policies and procedures to implement EO 14086 by all US intelligence agencies”. The EDPB recommended that the Commission should assess the updated policies and procedures and share their assessment with the EDPB.
- The EDPB welcomes the introduction of the concepts of necessity and proportionality but did identify the need to closely monitor the effects of these concepts practice.
- The EDPB notes that in relation to the collection of bulk data there is no requirement of prior authorisation by an independent authority, neither is there a systematic independent review after the fact by an independent body such as a court.
- The EDPB welcomes the introduction of the Data Protection Review Court (DPRC), remarking that this provides enhanced independence but is nevertheless concerned about the standard response issued by the DPRC, which does not reveal whether an individual was subject of US signals intelligence information but notifies the complainant that either no covered violations were identified or a that a determination requiring appropriate remediation has been issued. The EDPB has sympathy with the approach but is concerned that there are no exceptions to this response, and it is not appealable. The EDPB calls on the Commission to closely monitor the practical functioning of this mechanism.
- In terms of general monitoring, the EDPB considers the DPF should be reviewed at least every 3 years.
This is a quite a long shopping list of things to address, but will the US have any desire to negotiate further? The next step in the process is approval of the DPF by a committee of Member State Representatives. Although not binding, they will have regard to the EDPB opinion during decision making.
If you need assistance in navigating transfers of personal data to the United States in the absence of an adequacy decision, the team would love to help. Feel free to get in touch with your contact, or email firstname.lastname@example.org for more information.