EDPB welcomes improvements under the EU-U.S. Data Privacy Framework, but concerns remain

28 February 2023

Brussels, 28 February - The EDPB adopted its opinion on the draft adequacy decision regarding the EU-U.S. Data Privacy Framework. The EDPB welcomes substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for U.S. intelligence gathering of data and the new redress mechanism for EU data subjects. At the same time, it expresses concerns and requests clarifications on several points. These relate, in particular, to certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism. The EDPB would welcome if not only the entry into force but also the adoption of the decision were conditional upon the adoption of updated policies and procedures to implement Executive Order 14086 by all U.S. intelligence agencies. The EDPB recommends the Commission to assess these updated policies and procedures and share its assessment with the EDPB.

EDPB Chair Andrea Jelinek said: “A high level of data protection is essential to safeguard the rights and freedoms of EU individuals. While we acknowledge that the improvements brought to the U.S. legal framework are significant, we recommend to address the concerns expressed and to provide clarifications requested to ensure the adequacy decision will endure. For the same reason, we think that after the first review of the adequacy decision, subsequent reviews should take place at least every three years and we are committed to contributing to them.”

The Draft Adequacy Decision, published by the European Commission on 13 December 2022, is based on the EU-U.S. Data Privacy Framework (DPF) - meant to replace the Privacy Shield invalidated by the CJEU in the Schrems II judgment. The key component of the DPF is the EU-US Data Privacy Framework Principles, which were issued by the U.S. Department of Commerce. The DPF is only applicable to U.S. organisations which have self-certified. The EDPB has now adopted its Opinion on the Draft Decision, which considers both the commercial aspects and U.S. public authorities’ access and use of data.

Regarding commercial aspects, the EDPB welcomes a number of updates made to the DPF Principles. It also notes that a number of Principles remain essentially the same as under the Privacy Shield. As such, some concerns remain, for example, relating to some exemptions to the right of access, the absence of key definitions, the lack of clarity about the application of the DPF Principles to processors, the broad exemption to the right of access for publicly available information, and the lack of specific rules on automated decision-making and profiling. The EDPB further reiterates that the level of protection must not be undermined by onward transfers. Therefore, it invites the Commission to clarify that the safeguards imposed by the initial recipient on the importer in the third country must be effective in light of third country legislation, prior to an onward transfer.

Moreover, the EDPB asks the Commission to clarify the scope of the exemptions regarding the duty to adhere to the DPF Principles and stresses the importance of effective oversight and enforcement of the DPF. These aspects will be closely monitored by the EDPB, together with the effectiveness of the redress avenues provided to EU data subjects whose data are processed in violation of the DPF.

Regarding government access to data transferred to the U.S., the EDPB acknowledges the significant improvements brought by Executive Order (EO) 14086. The EO introduces the concepts of necessity and proportionality with regard to U.S. intelligence-gathering of data (signals intelligence).

Furthermore, the new redress mechanism creates rights for EU individuals and is subject to the review by the Privacy and Civil Liberties Oversight Board (PCLOB). The EO also enshrines more safeguards to ensure the independence of the Data Protection Review Court (DPRC), compared to the previous Ombudsperson mechanism, and introduces more effective powers to remedy violations, including additional safeguards for data subjects.

The EDPB highlights that close monitoring is needed concerning the practical application of the newly introduced principles of necessity and proportionality. Further clarity is also necessary regarding temporary bulk collection and the further retention and dissemination of the data collected in bulk.

The EDPB also expresses concerns about the lack of a requirement of prior authorisation by an independent authority for the collection of data in bulk under Executive Order 12333, as well as the lack of systematic independent review ex post by a court or an equivalently independent body. With regard to prior independent authorisation of surveillance under Section 702 FISA, the EDPB regrets that the FISA Court does not review compliance with Executive Order 14086 when certifying programmes authorising the targeting of non-U.S. persons, even though the intelligence authorities carrying out the programme are bound by it. Reports of the PCLOB on how the safeguards of the EO 14086 will be implemented and how these safeguards are applied when data is collected under Section 702 FISA and EO 12333 would be particularly useful. Regarding the redress mechanism, the EDPB recognises the additional safeguards provided, such as the role of the special advocates and the review of the redress mechanism by the PCLOB. At the same time, the EDPB is concerned about the general application of the standard reply of the DPRC notifying the complainant that either no covered violations were identified or a determination requiring appropriate remediation was issued, especially given that this decision cannot be appealed. The EDPB therefore calls on the Commission to closely monitor the practical functioning of this mechanism.