The proposed EU-U.S. Data Privacy Framework (DPF) has hit yet another stumbling block on its road to an adequacy decision and toward opening back up the free flow of personal data from the EU to the United States without the need for standard contractual clauses or other mechanisms.
While the European Data Protection Board (EDPB) recognized the steps taken by the United States toward proportionality and necessity in U.S. intelligence gathering and the new redress mechanism set forth in President Biden's executive order, the EDPB expressed additional concerns that the DPF did not go far enough. They recommended that clarifications be made and concerns addressed so that the adequacy decision (if there is one) will endure. They also recommended that the adequacy decision be subject to review at least every three years.
All this comes on top of the Biden administration urging the U.S. Congress to renew the Foreign Intelligence Surveillance Act (FISA) Section 702, which is often pointed at as compromising the privacy rights of European data subjects.
The European Data Protection Board released its nonbinding opinion on the draft adequacy decision based on the EU-U.S. Data Privacy Framework, welcoming what it called "substantial improvements" while expressing concern and requesting clarification on several points. However, the EDPB has concerns relating to "certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.