As previously reported, on 13 December 2022, the European Commission published its draft adequacy decision for the EU-U.S. Data Privacy Framework (the “Framework”). The Framework only applies is only applicable to U.S. organisations which have self-certified.
Two months later, on 28 February 2023, the European Data Protection Board (“EDPB”) adopted its opinion on the draft decision (the “Opinion”), which considers both the commercial aspects and the processing of European personal data by the U.S. public authorities. The Opinion has praised several aspects of the Framework for offering effective data privacy mechanisms, but also highlighted some outstanding concerns.
EDPB Chair Andrea Jelinek stated: “A high level of data protection is essential to safeguard the rights and freedoms of EU individuals. While we acknowledge that the improvements brought to the U.S. legal framework are significant, we recommend to address the concerns expressed and to provide clarifications requested to ensure the adequacy decision will endure. For the same reason, we think that after the first review of the adequacy decision, subsequent reviews should take place at least every three years and we are committed to contributing to them.”
As for the positive elements of the Framework, the EDPB accepted and praised the substantial improvements, brought by President Biden Executive Order (“EO”) 14086, regarding U.S government access to EU personal data transferred to the U.S. This means that US intelligence agencies can only access European data to the extent that is necessary and proportionate to protect US national security. The Framework also ensures that, in the instance that US intelligence agencies do go beyond access that is necessary and proportionate, EU individuals can obtain redress, which includes access to a Data Protection Review Court who can adopt binding remedial measures. This was hailed in the Opinion as a positive element which introduces effective powers and additional safeguards to protect data subjects against violations.
However, the EDPB is concerned, amongst other things, about the lack of a prior authorisation for back data collection, and systematic independent ex post monitoring, by an independent authority or a court under the EO.
Whilst the proposed Framework seeks to address certain vulnerable aspects of current Trans-Atlantic data privacy, there are a range of elements that the EDPB has requested further clarification on.
This includes areas such as:
- Expansion of the Principles which are substantially unchanged to the previous Privacy Shield
The EDPB comments that the principles which are set out in the Framework are substantially unchanged when compared against the previous Privacy Shield, despite a number of changes and additional explanations that were provided in the recitals of the Framework. As such, some concerns remain, for example, relating to: (i) some exemptions to the right of access; (ii) the lack of key definitions and clarity about the application of the Framework Principles to processors; (iii) the broad exemption to the right of access for publicly available information; and (iv) the lack of specific rules on automated decision-making and profiling.
- Onward transfers
The EDPB expresses that organisations who are subject to the Framework rules should ensure, prior to the onward transfer of a subject's data, that such onward transfer does not undermine the continuity of the protection of the data subject, i.e., the organisation has a responsibility to assess conflicting third-party national legislation requirements that may contradict that of the Framework.
- The scope of exemptions
The EDPB recommends that the Commission provides clarification on the “scope of the exemptions” that have been set out in the Framework, excluding applicability in instances where it is necessary to meet US conflicting obligations and overriding legitimate interests. The EDPB also recommends that, in light of these exemptions, the Commission should be informed of any further US statute or regulation that would affect adherence to the Framework.
- Temporary bulk collection of data
The EDPB notes that the safeguards of bulk collection do not presently apply to temporary bulk collection. The EDPB therefore requests clarity here to determine, with certainty, which safeguards are intended to apply to which stage.
- Practical functioning of the redress mechanism
The EDPB indicates that, whilst the redress mechanism has potential to serve as an effective process, the practical elements are potentially overtly optimistic and ambitious, and thus should be supplemented with more clarified detail and heavy monitoring carried out by the Commission. The EDPB further stresses the importance of ensuring that the redress avenues are effective for EU data subjects whose data has been processed in violation of the Framework.
The future fate of the Framework shall now pass to the Commission, who may implement the necessary changes and proposed amendments as submitted by the EDPB before adoption. As there are evidently underlying concerns and room for improvement, the Framework is likely to also be met by legal challenges from EU privacy advocates. It is nevertheless clear that the Framework has the potential to strengthen Trans-Atlantic cooperation, as a fundamental necessity in an increasingly digitalised and data driven economy.
In the meantime, transfers of EEA personal data to the U.S remain problematic and need to be assessed carefully and on a case-by-case basis.
Find the non-binding EDPB Opinion here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.