On February 28, 2023, the European Data Protection Board (“EDPB”) issued its Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework (the “Opinion”). In the Opinion, the EDPB recognized substantial improvements in the proposed EU-U.S. Data Privacy Framework (“DPF”) when compared to Privacy Shield, whilst also stating that a number of aspects of the DPF need to be clarified, developed or further detailed.
Key Takeaways from the EDPB’s Opinion
- The EDPB positively notes the substantial improvements made in the DPF, in particular as regards the introduction of the principles of necessity and proportionality and the individual redress mechanism for EU data subjects. It also takes into account the commitments by U.S. authorities in enforcing the DPF, and considers that this enforcement should be adequately monitored.
- The DPF’s complexity may make it difficult for relevant stakeholders to understand, and some key definitions are also missing from the text.
- Exceptions to the right to access may be too broad in the DPF, further guarantees should be provided with regards to the possibility of further transfers of data of EU data subjects, and additional safeguards are necessary in the context of automated decision-making.
- The DPF does not introduce a requirement for prior authorization by an independent authority for bulk collection of data, and safeguards in this context may be insufficient.
- The new redress mechanisms under the DFC represent a positive evolution when compared to Privacy Shield. In particular, the Data Protection Review Court offers reinforced guarantees, for example, in terms of independence. However, clarifications on certain aspects, such as access to information by judges, may still be required.
- The general use of the standard response by the Data Protection Review Court may not adequately take into consideration the necessary balance between rights of the individuals and considerations of national security.
- The effectiveness of EO 14086 will depend on the adoption of policies and procedures for its implementation by U.S. Intelligence Agencies. The EDPB believes that both the adoption and entry into force of the DPF should be made conditional on the adoption of said policies and procedures.
The DPF will now need to be approved by a committee of Member States representatives. The European Parliament is also likely to continue scrutinizing the process. While the Opinion of the EDPB is not binding, it is expected to influence both Member State representatives and the European Parliament in their respective tasks.