On February 28, 2023, the European Data Protection Board (“EDPB”) adopted its Opinion 5/2023 (the “Opinion”) on the draft adequacy decision of the European Commission regarding the EU-U.S. Data Privacy Framework (“DPF”). The DPF aims to ensure that personal data transferred from the European Union to the U.S. receives an adequate level of protection. The framework is based on the principles of transparency, accountability, and oversight, and it includes safeguards to protect the data privacy rights of individuals.
In the Opinion, the EDPB noted substantial improvements in the proposed DPF compared to the former Privacy Shield, but also expressed concerns regarding the level of protection provided by the draft adequacy decision. Key takeaways from the EDPB’s Opinion are:
- The EDPB welcomed the updates to the DPF Principles, but opined that the Principles to which the DPF organizations have to adhere remain essentially unchanged from the Privacy Shield, and the concerns previously raised by the Article 29 Working Party and the EDPB in relation to the Privacy Shield principles remain unaddressed. In particular, these concerns relate to the rights of data subjects, the absence of key definitions, the lack of clarity in relation to the application of the DPF Principles to processors, and the broad exemption for publicly available information.
- The EDPB opined that the structure and complexity of the DPF makes it difficult for data subjects and relevant stakeholders to understand, and that some key definitions are missing from the text and terminology usage is not consistent.
- Regarding the level of protection of individuals whose data is transferred, the EDPB noted that protection must not be undermined by onward transfers from the initial recipient of the transferred data. The EDPB invites the European Commission to clarify that the safeguards imposed by the initial recipient on the importer in the third country must be effective in light of third-country legislation, prior to an onward transfer in the context of the DPF.
- Regarding government access to data transferred to the U.S., the EDPB acknowledged the significant improvements brought by Executive Order 14086, which introduced concepts of necessity and proportionality with regard to U.S. intelligence-gathering of data (signals intelligence).
- The Opinion recognized the specific safeguards provided by relevant U.S. law in different fields concerning automated decision-making and profiling by means of AI technologies. However, the EDPB pointed out that the level of protection for individuals seems to vary according to which sector-specific rules, if any, apply to the situation at hand. The EDPB maintained that specific rules concerning automated decision-making are needed in order to provide sufficient safeguards especially when AI decisions could significantly affect an individual.
- The EDPB recommended clarification on the scope of exemptions, including on the applicable safeguards under U.S. law, in order to better identify their impact on data subjects. The Opinion also underlined that the European Commission should monitor the application and adoption of any statute or government regulation that would affect adherence to the DPF Principles. In relation to the list of exceptions to the right of access, the EDPB noted that some still tended to tip the balance towards the interests of DPF organizations, while the EDPB is concerned that there appears to be no requirement to consider the rights and interests of the individual.
- The EDPB further addressed bulk data collection and asked for clarity regarding temporary bulk collection and the further retention and dissemination of such data. EDPB opined that collection of large quantities of data without discriminants (e.g., without the use of specific identifiers) presents higher risks for the individuals than targeted collection and thus requires additional safeguards to be adduced. The Opinion noted that the DPF lacks a requirement for prior authorization from an independent authority in advance of bulk data collection.
- The EDPB highlighted that close monitoring, oversight, and enforcement of the DPF will be needed. The DPF continues to rely on a system of self-certification, although it recognizes commitments made by relevant agencies to investigate alleged DPF violations and monitor and enforce against entities making false or deception claims of participation.
Given the concerns expressed and the clarifications required, the EDPB suggests that these concerns should be addressed by the European Commission in future reviews. The EDPB further invites the European Commission to provide the requested clarifications in order to solidify the grounds for the draft adequacy decision and to ensure a close monitoring of the concrete implementation of this new legal framework, in particular the safeguards it provides. The draft adequacy decision will continue to make its way through the review and approval process. Once ratified, participating in the DPF will require that companies certify their adherence with the U.S. Department of Commerce.
We will continue to monitor the developments in this matter and keep you informed of any further updates.