Insights European Data Protection Board publishes Opinion on EU Commission’s draft Data Adequacy Decision regarding EU-US Data Privacy Framework (DPF)

The Draft Adequacy Decision, published by the European Commission on 13 December 2022, is based on the EU-US DPF, which is set to replace the Privacy Shield invalidated by the CJEU in Schrems II.

The EDPB has now adopted its Opinion on the EU Commission’s draft Data Adequacy Decision, which considers both the commercial aspects and US public authorities’ access and use of data under the DPF.

In its Opinion, the EDPB welcomes the substantial improvements made to the DPF, such as the introduction of the principles of necessity and proportionality for US intelligence gathering of data and the new redress mechanism for EU data subjects.

At the same time, however, it expresses concern and seeks clarification on various points, including the rights of data subjects, onward transfers, the scope of exemptions, the temporary bulk collection of data and the practical functioning of the redress mechanism. The EDPB says that it would like to see the Decision being made conditional upon the adoption of updated policies and procedures to implement Executive Order 14086 by all US intelligence agencies. The EDPB recommends that the Commission assesses these updated policies and procedures. The EDPB would also like reviews of the Decision to take place at least every three years.

Regarding the commercial aspects of the DPF, the EDPB welcomes the various updates made to the DPF Principles. It also notes that several Principles are essentially the same as under the Privacy Shield. As such, some concerns remain, e.g. in relation to exemptions to the right of access, the absence of key definitions, the lack of clarity about the application of the DPF Principles to processors, the broad exemption to the right of access for publicly available information and the lack of specific rules on automated decision-making and profiling. Further, the EDPB reiterates that the level of protection must not be undermined by onward transfers to third countries and invites the Commission to clarify that safeguards in relation to third country legislation will be effective.

The EDPB also asks the Commission to clarify the scope of exemptions relating to the duty to adhere to the DPF Principles and stresses the importance of effective oversight and enforcement of the DPF. It says that it will closely monitor these aspects, together with the effectiveness of the redress mechanisms of EU data subjects whose data are processed in violation of the DPF.

As for US government access to data transferred to the US, the EDPB acknowledges the significant improvements brought by Executive Order 14086 (i.e. the introduction of the concepts of necessity and proportionality). It also welcomes the new redress mechanism for EU individuals, which is subject to review by the US Privacy and Civil Liberties Oversight Board (PCLOB). The EDPB also welcomes the safeguards to ensure independence of the Data Protection Review Court (DPRC) and the introduction of more effective powers to remedy violations, including additional safeguards for data subjects.

The EDPB says that clarity is needed regarding temporary bulk collection and the further retention and dissemination of data collected in bulk. The EDPB expresses concern that there is no requirement of prior authorisation by an independent authority for the collection of data in bulk, nor is there any provision for an independent review ex post by a court or an equivalently independent body.

As for prior independent authorisation of surveillance under s 702 of the US Foreign Intelligence Surveillance Act (FISA), the EDPB regrets that the FISA Court does not review compliance with Executive Order 14086 when certifying programmes authorising the targeting of non-US persons, even though the intelligence authorities carrying out the programme are bound by it. Reports of the PCLOB on how the safeguards of Executive Order 14086 will be implemented and how these safeguards are applied when data is collected would be helpful, it says.

As for the redress mechanism, the EDPB recognises the additional safeguards provided, such as the role of special advocates and the review of the redress mechanism by the PCLOB. At the same time, the EDPB is concerned about the general application of the standard reply of the DPRC notifying the complainant that either no covered violations were identified or a determination requiring appropriate remediation was issued, especially given that this decision cannot be appealed. The EDPB therefore calls on the Commission to monitor closely the practical functioning of this mechanism. To read the EDPB’s press release in full and for a link to the Opinion, click here.