On February 28, 2023, the European Data Protection Board (“EDPB”) released its non-binding opinion on the European Commission’s draft adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”).  The adequacy decision, once formally adopted, will establish a new legal basis by which organizations in the EU (as well as the three EEA states of Iceland, Liechtenstein, and Norway) may lawfully transfer personal data to the U.S., provided that the recipient in the U.S. certifies to and abides by the terms of the DPF (see our previous blogpost here). 

The Commission sought the EDPB’s opinion pursuant to Article 71(1)(s) of the GDPR.  The EDPB welcomes the fact that elements of the DPF represent a substantial improvement over the Privacy Shield, which was annulled by the EU Court of Justice (“CJEU”) in Schrems II (see our previous blogpost here).  Nonetheless, the EDPB notes some concerns and seeks clarification on certain aspects of the DPF from the Commission.  For example, the EDPB welcomes the establishment of a specific mechanism by which non-U.S. persons may seek redress for certain U.S. government surveillance of their personal data, but calls on the Commission to closely monitor the implementation of this mechanism in practice.

Key Takeaways

As a threshold point, the EDPB notes that the DPF’s Principles largely mirror those in the Privacy Shield, and so refers to the opinion of the EDPB’s predecessor, the Article 29 Working Party, concerning the Shield.  In addition to restating the Working Party’s earlier observations about the Privacy Shield, the EDPB’s opinion also draws out specific aspects of the DPF that the EDPB deems to be particularly relevant today.  As many expected, the EDPB’s assessment considers the extent to which the DPF effectively addresses the findings made by the CJEU in its Schrems II judgment concerning the authorizations granted to the U.S. intelligence community under U.S. law to access the personal data of EU data subjects.  

Key takeaways include the following:  

General Data Protection Principles

  • Onward transfers.  The EDPB notes that onward transfers of data by U.S. organizations enrolled in the DPF to third countries should not undermine the level of protection afforded to EU data subjects.  The EDPB recommends that the DPF clarify that participating organizations should assess, prior to any onward transfer of data to a third country, whether the laws and/or practices in that country threaten to undermine the protections afforded by the DPF.
  • Right of access.  The EDPB considers the DPF’s exceptions to the right of access to be overly broad, and recommends that the DPF make clearer that (1) participating organizations are required to respond to data subject access requests, and (2) this obligation applies to any processing activity carried out by the organization (and not just when the organization “stores” such data, as the text currently provides).
  • Right to object.  The EDPB notes that data subjects should have a general right to object to the processing of their data under conditions established in the third country’s legal framework, where there are compelling legitimate grounds to do so.
  • Automated decision-making and profiling.  The EDPB recommends that the DPF include specific rules to address automated decision-making (“ADMs”).  This would include rules to ensure individuals can understand the logic underlying a decision that significantly affects them, challenge the decision, and require human oversight.
  • Redress mechanisms.  The EDPB observes that some of the DPF’s redress mechanisms are the same as those under the Privacy Shield, and commits to closely monitor their effectiveness.  The EDPB also requests further information on the DPF’s mechanism for allowing individuals, under certain circumstances, to lodge complaints with an EU data protection authority. 

U.S. Public Authority Access and Use of Personal Data

  • Access and use of data for criminal law enforcement purposes.  The EDPB offers a number of observations regarding U.S. law providing for access to data by U.S. authorities, including that it “could be considered as generally meeting the requirements of necessity and proportionality in relation to the fundamental rights to private life and data protection.”  According to the Board, U.S. law also establishes a “fairly robust independent oversight mechanism” with respect to law enforcement access to data held by companies in the U.S.  The EDPB invites the Commission to clarify, however, the legal avenues available to non-U.S. persons seeking redress in cases where authorities have accessed their data, as well as the extent to which the individual may access, correct, or delete their personal data.
  • Access and use of data for national security purposes.  The EDPB notes that U.S. law governing access to personal data by U.S. intelligence agencies has been amended by Executive Order 14086 (“E.O. 14086”), which the EDPB describes as a “significant improvement” (see our previous blogpost on E.O. 14086 here).  The EDPB recommends, however, that both the adoption and entry into force of the Commission’s decision be made conditional upon those agencies updating their policies and procedures in accordance with E.O. 14086.  

In addition, the EDPB highlights certain aspects of the Executive Order:

Necessary and Proportionate.  The EDPB observes that E.O. 14086 imposes “necessity” and “proportionality” requirements that appear to “have been included to reflect the principles of necessity and proportionality foreseen under EU law.”  The EDPB encourages the Commission to obtain additional information to assess and monitor the application of these principles in practice, including the implementation by U.S. intelligence agencies of these safeguards in their updated policies and procedures. 

Redress. The EDPB “welcomes” the establishment of a specific redress mechanism – the Data Protection Review Court (“DPRC”) – for non-U.S. persons, and concludes that this mechanism is not “per se insufficient” merely because it is established within the Executive Branch, rather than as a court envisioned by Article III of the U.S. Constitution.  The EDPB expresses some concerns, such as the absence of a right of appeal, and calls on the Commission to closely monitor the implementation of the Order’s redress mechanism to ensure that its safeguards are “fully reflected in practice.”

Oversight.  The EDPB notes that E.O. 14086 confers upon the U.S. Privacy and Civil Liberties Oversight Board (“PCLOB”) “comprehensive supervision” of the Executive Order’s implementation, and “welcomes the PCLOB’s independence and oversight of the national intelligence community,” particularly in light of the fact that intelligence agencies must comply with or otherwise adopt the PCLOB’s recommendations.   

The EDPB concludes its opinion by committing to closely monitor the effectiveness of the DPF’s oversight and enforcement mechanisms. 

Next steps

Although the EDPB’s opinion is not binding on the Commission, the Commission may take the opinion into consideration as it prepares the final text of its adequacy decision.  The Commission’s next step will be to submit the draft decision for approval by a committee of Member State representatives.  The Commission is expected to adopt the final adequacy decision sometime in mid-2023.

***

Covington regularly advises companies on all aspects of their international transfers.  Our team is happy to assist with any inquiries relating to the proposed EU-U.S. Data Privacy Framework and other international transfers mechanisms.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Lisa Peets Lisa Peets

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she…

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU law issues, including data protection and related regimes, copyright, e-commerce and consumer protection, and the rapidly expanding universe of EU rules applicable to existing and emerging technologies. Lisa also routinely advises clients in and outside of the technology sector on trade related matters, including EU trade controls rules.

According to the latest edition of Chambers UK (2022), “Lisa is able to make an incredibly quick legal assessment whereby she perfectly distils the essential matters from the less relevant elements.” “Lisa has subject matter expertise but is also able to think like a generalist and prioritise. She brings a strategic lens to matters.”

Photo of Diana Lee Diana Lee

Diana Lee is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Diana’s practice focuses on regulatory and enforcement matters relating to electronic surveillance, law enforcement access to digital evidence, and data privacy…

Diana Lee is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Diana’s practice focuses on regulatory and enforcement matters relating to electronic surveillance, law enforcement access to digital evidence, and data privacy and cybersecurity. She also routinely advises clients on content moderation and consumer protection issues. Before rejoining the firm, she clerked for Judge Victor A. Bolden, United States District Judge for the District of Connecticut.

Diana is a member of the Bars of New York and the District of Columbia.

Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.