EDPB Opinion on Trans-Atlantic Data Privacy Framework
Will GDPR compliant data transfers to the us soon be possible without any problems? – Part I
The first part of the series of articles presents an abstract of the non-binding opinion of the European Data Protection Board (EDPB) on the draft “Trans-Atlantic Data Privacy Framework” – the new data protection agreement between the EU and the US.
In the following articles, the individual points of criticism with the demanded need for improvement of the EDPB will be examined in more detail.
What is it about?
US laws allow the US intelligence agencies to access personal data either transferred from the EU to the US or processed there. However, personal data enjoys a higher level of protection in the EU than in the US. Therefore, the ECJ has declared the EU-US Privacy Shield 2020 (“Privacy Shield”) invalid in the
so-called Schrems ll case (Case C-3111/18). After “Safe Harbour”, the “Privacy Shield” was the second agreement that served as a safeguard for data transfers to the US. After this second agreement was overturned, a new regulation was needed to ensure adequate data protection. Therefore, a new, third agreement was agreed at the political level: the “Data Privacy Framework”, or “DPF” for short.
In October 2022, US President Biden issued a regulation (US Executive Order (EO) 14086 ) as an outgrowth of the new EU-US agreement, which aims to increase the level of data protection for all individuals affected by surveillance measures, in particular to meet EU data protection requirements for data transfers to the US. The EU Commission subsequently published a draft adequacy decision on 13.12.2022 to declare the US a so-called safe third country on the basis of the new US regulation.
The European Data Protection Board (EDPB) was asked by the European Commission to give its opinion on the adequacy decision. The EDPB published this opinion on 28.02.2023. This evaluation focuses in particular on the commercial aspects as well as on the access to and use of personal data from the EU by US public authorities.
However, although the assessment highlights critical aspects, the EU Commission does not suggest that the decision be rejected. Rather, the EDPB recommends that the concerns raised be taken into account and that the European Commission provide the requested clarifications to strengthen the reasoning of its draft decision.
What is the EDPB’s overall opinion on the adequacy decision?
Overall, the EDPB notes that, as a result of the enacted EO 14086, the US legal
framework now specifies concrete purposes when data may be collected and that principles of proportionality must be taken into account. But close monitoring is needed to ensure that and how the requirements are implemented in practice. This includes reviewing internal policies and procedures at the authority level.
What is the EDPB’s criticism?
The list is long, and it can be deduced how the draft is to be assessed. The main points of criticism are:
Lack of detailed information on the legal context in the US to better understand the DPF principles, such as the lack of description of the privacy obligations applicable under US law.
The Regulation provides for the possibility of limiting the obligation to comply with the principles set out in the DPF. Without full knowledge of US law at both the federal and state levels, the scope of the limitations in the DPF is not clear, so to clarify the scope, the limitations need to be included in the draft decision.
· Unstructured attachments make it difficult to find and look up information.
· Inconsistent use of terms such as “processing”, which can lead to legal uncertainties.
· There is a need to clarify the scope of the right of access of data subjects and to include this in the main text of the adequacy decision and not only as a supplementary explanation in the footnotes.
- No explanations on the exercise of the right to object.
· Exemption from the contractual obligation for intra-group transfers, so that onward transfers of data may not only take place for limited and specified purposes on the basis of a contract between the DPF organisation and the third party or a comparable agreement within a group of companies, if the third party is also obliged to comply with the level of protection.
· Lack of specific safeguards against the rapid developments in automated decision making and profiling – increasingly using AI technology.
· Reviews of compliance with the DPF principles are limited to formal requirements (e.g., lack of response from designated contact points), although verification of compliance with substantive requirements is crucial.
· Lack of further explanation as to whether legal remedies enable the data subject to obtain access to personal data concerning him or her or to obtain the rectification or erasure of such data.
· Lack of further clarification on the principles and safeguards for further use of data, in particular with regard to applicable rules and safeguards for onward transfers, further use and disclosure of personal data collected for law enforcement purposes in the US and subsequently transferred to third countries, including under international agreements.
· Lack of definition of the term “signals intelligence” – information
obtained by capturing and analysing the electronic signals and communications of a specific target – in EO 14086.
· Lack of dependence of the adoption of the Decision on the adoption of updated policies and procedures to implement EO 14086 by all US intelligence agencies.
· Lack of clarity on the assessment of applicable retention requirements for personal data of US persons, which cannot be used as a benchmark for EU persons in this way.
· The possibility in EO 14086 for the President of the United States to add further targets to the list in relation to the regulation.
· Lack of verification of whether there are international agreements with third countries or international organisations that could provide for specific
provisions for the international transfer of personal data by intelligence agencies to third countries.
Conclusion on the EDPB opinion
Overall, the EDPB takes positive note of the fact that EO 14086, compared to the previous legal framework offers significant improvements, particularly with regard to the introduction of the principles of necessity and proportionality of data protection interventions and individual redress for data subjects in the EU.
In view of the criticisms outlined above, the EDPB proposes that the concerns be addressed and that the EU Commission provide the requested clarifications. This would consolidate the rationale of the draft decision and ensure close monitoring of the concrete implementation of this new legal framework, particular the safeguards it provides, in the future joint reviews.