European Data Protection Board Issues Opinion on EU-US Data Transfers
On February 28, 2023, the European Data Protection Board (“EDPB”) issued its opinion on the draft adequacy decision of the European Commission (the “Commission”) on the new EU-US Data Privacy Framework (“DPF”). The EDPB expressed reservations in connection with the DPF, which will now undergo scrutiny by other European institutions.
Who Should Read This Legal Update
This Legal Update is relevant for companies whose business may involve the transfer of personal data between the EU and the US. If the US is approved as a country with data adequacy on the basis of the DPF, data transfers from the EU by businesses that are certified to the DPF will no longer require separate data transfer mechanisms to provide additional safeguards such as Binding Corporate Rules or Standard Contractual Clauses.
Background
On December 13, 2022, the European Commission published its draft adequacy decision for EU-US data transfers, following the EU-US announcement of an agreement on the DPF in March 2022 and the US Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the “Executive Order”), which was signed by President Biden in October 2022.
If the draft adequacy decision is adopted, the DPF will be the successor to the EU-US Privacy Shield, which was based on an adequacy decision of the European Commission under the General Data Protection Regulation ("GDPR") and subsequently declared invalid by the Court of Justice of the European Union ("CJEU") in its July 2020 Schrems II decision. The DPF is expected to tackle the concerns of the CJEU with respect to transfers of EU personal data to the US.
What’s New
The EDPB’s opinion is the first step in the process of adopting the draft decision. The EDPB stated that its analysis would focus on assessing the extent the DPF addresses the concerns of the CJEU that served as the basis for the Schrems II decision.
Key takeaways of the EDPB’s opinion include:
- Acknowledgment of improvements: The EDPB acknowledged several improvements in the DPF over the Privacy Shield, such as the availability of redress mechanisms that more thoroughly address possible violations of data subjects’ rights. It also recognized improvements regarding restrictions on the access and use of EU personal data for criminal law enforcement purposes in the US;
- Concerns regarding key data privacy aspects: The EDPB identified its concerns related to exemptions to data subjects’ right of access, an absence of clear definitions, lack of rules on automated decision making and profiling, and lack of clarity on onward transfers;
- Concerns in relation to the use and access of EU personal data by US public authorities (in particular for national security purposes): The EDPB noted the lack of a requirement of prior authorization for the collection of data in bulk and recommended that the adoption and entry into force of the adequacy decision be made conditional upon adoption of updated policies and procedures to implement the commitments of the Executive Order by all US intelligence agencies.
The EDPB recommended that the European Commission address the above-mentioned concerns to further solidify the grounds for the draft adequacy decision.
Next Steps
The European Commission must now seek the approval from a committee composed of representatives of the EU member states. The European Parliament (the “Parliament”) has also signaled its intent to exercise its right of scrutiny over the draft adequacy decision. On February 14, 2023, the Parliament proposed a draft opinion concluding that the DPF fails to provide an adequate level of protection and inviting the Commission to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence.
Given the intense scrutiny faced by the draft adequacy decision, businesses should be ready to continue relying on the other data transfer mechanisms available under the GDPR (such as Binding Corporate Rules and Standard Contractual Clauses) in the short- to mid-term. For information on the available data transfer mechanisms pending adoption of the DPF, please refer to our Legal Update from December 2022.