On February 28, 2023, the European Data Protection Board (“EDPB”) released its non-binding opinion on the European Commission’s draft adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”). The adequacy decision, once formally adopted, will establish a new legal basis by which organizations in the EU (as well as the three EEA states of Iceland, Liechtenstein, and Norway) may lawfully transfer personal data to the U.S., provided that the recipient in the U.S. certifies to and abides by the terms of the DPF (see our previous blogpost here).
The Commission sought the EDPB’s opinion pursuant to Article 71(1)(s) of the GDPR. The EDPB welcomes the fact that elements of the DPF represent a substantial improvement over the Privacy Shield, which was annulled by the EU Court of Justice (“CJEU”) in Schrems II (see our previous blogpost here). Nonetheless, the EDPB notes some concerns and seeks clarification on certain aspects of the DPF from the Commission. For example, the EDPB welcomes the establishment of a specific mechanism by which non-U.S. persons may seek redress for certain U.S. government surveillance of their personal data, but calls on the Commission to closely monitor the implementation of this mechanism in practice.
As a threshold point, the EDPB notes that the DPF’s Principles largely mirror those in the Privacy Shield, and so refers to the opinion of the EDPB’s predecessor, the Article 29 Working Party, concerning the Shield. In addition to restating the Working Party’s earlier observations about the Privacy Shield, the EDPB’s opinion also draws out specific aspects of the DPF that the EDPB deems to be particularly relevant today. As many expected, the EDPB’s assessment considers the extent to which the DPF effectively addresses the findings made by the CJEU in its Schrems II judgment concerning the authorizations granted to the U.S. intelligence community under U.S. law to access the personal data of EU data subjects.
Key takeaways include the following:
General Data Protection Principles
- Onward transfers. The EDPB notes that onward transfers of data by U.S. organizations enrolled in the DPF to third countries should not undermine the level of protection afforded to EU data subjects. The EDPB recommends that the DPF clarify that participating organizations should assess, prior to any onward transfer of data to a third country, whether the laws and/or practices in that country threaten to undermine the protections afforded by the DPF.
- Right of access. The EDPB considers the DPF’s exceptions to the right of access to be overly broad, and recommends that the DPF make clearer that (1) participating organizations are required to respond to data subject access requests, and (2) this obligation applies to any processing activity carried out by the organization (and not just when the organization “stores” such data, as the text currently provides).
- Right to object. The EDPB notes that data subjects should have a general right to object to the processing of their data under conditions established in the third country’s legal framework, where there are compelling legitimate grounds to do so.
- Automated decision-making and profiling. The EDPB recommends that the DPF include specific rules to address automated decision-making (“ADMs”). This would include rules to ensure individuals can understand the logic underlying a decision that significantly affects them, challenge the decision, and require human oversight.
- Redress mechanisms. The EDPB observes that some of the DPF’s redress mechanisms are the same as those under the Privacy Shield, and commits to closely monitor their effectiveness. The EDPB also requests further information on the DPF’s mechanism for allowing individuals, under certain circumstances, to lodge complaints with an EU data protection authority.
U.S. Public Authority Access and Use of Personal Data
- Access and use of data for criminal law enforcement purposes. The EDPB offers a number of observations regarding U.S. law providing for access to data by U.S. authorities, including that it “could be considered as generally meeting the requirements of necessity and proportionality in relation to the fundamental rights to private life and data protection.” According to the Board, U.S. law also establishes a “fairly robust independent oversight mechanism” with respect to law enforcement access to data held by companies in the U.S. The EDPB invites the Commission to clarify, however, the legal avenues available to non-U.S. persons seeking redress in cases where authorities have accessed their data, as well as the extent to which the individual may access, correct, or delete their personal data.
- Access and use of data for national security purposes. The EDPB notes that U.S. law governing access to personal data by U.S. intelligence agencies has been amended by Executive Order 14086 (“E.O. 14086”), which the EDPB describes as a “significant improvement” (see our previous blogpost on E.O. 14086 here). The EDPB recommends, however, that both the adoption and entry into force of the Commission’s decision be made conditional upon those agencies updating their policies and procedures in accordance with E.O. 14086.
In addition, the EDPB highlights certain aspects of the Executive Order:
Necessary and Proportionate. The EDPB observes that E.O. 14086 imposes “necessity” and “proportionality” requirements that appear to “have been included to reflect the principles of necessity and proportionality foreseen under EU law.” The EDPB encourages the Commission to obtain additional information to assess and monitor the application of these principles in practice, including the implementation by U.S. intelligence agencies of these safeguards in their updated policies and procedures.
Redress. The EDPB “welcomes” the establishment of a specific redress mechanism – the Data Protection Review Court (“DPRC”) – for non-U.S. persons, and concludes that this mechanism is not “per se insufficient” merely because it is established within the Executive Branch, rather than as a court envisioned by Article III of the U.S. Constitution. The EDPB expresses some concerns, such as the absence of a right of appeal, and calls on the Commission to closely monitor the implementation of the Order’s redress mechanism to ensure that its safeguards are “fully reflected in practice.”
Oversight. The EDPB notes that E.O. 14086 confers upon the U.S. Privacy and Civil Liberties Oversight Board (“PCLOB”) “comprehensive supervision” of the Executive Order’s implementation, and “welcomes the PCLOB’s independence and oversight of the national intelligence community,” particularly in light of the fact that intelligence agencies must comply with or otherwise adopt the PCLOB’s recommendations.
The EDPB concludes its opinion by committing to closely monitor the effectiveness of the DPF’s oversight and enforcement mechanisms.
Although the EDPB’s opinion is not binding on the Commission, the Commission may take the opinion into consideration as it prepares the final text of its adequacy decision. The Commission’s next step will be to submit the draft decision for approval by a committee of Member State representatives. The Commission is expected to adopt the final adequacy decision sometime in mid-2023.
Covington regularly advises companies on all aspects of their international transfers. Our team is happy to assist with any inquiries relating to the proposed EU-U.S. Data Privacy Framework and other international transfers mechanisms.