Trans-Atlantic Data Privacy Framework – Part 2

Trans-Atlantic Data Privacy Framework

The Data Privacy Framework principles and opinions of EDPB and MEPs

Trans-Atlantic Data Privacy Framework

Can an adequacy decision be made on the basis of the current Data Privacy Framework principles?

 

Introduction

In our first article of the short series of articles dated 29.03.2023, we already addressed the criticisms of the European Data Protection Board (“EDPB”) on the draft adequacy decision (“Data Privacy Framework”).

In the following, we would like to go into more detail and present further criticisms that have arisen from other bodies.

Brief review: what is and should the Data Privacy Framework be?

In principle, the Data Privacy Framework (“DPF”) provides for a variety of principles and rules to ensure an adequate level of data protection in the transfer of personal data. The new principles, like the previous Safe Harbor Principles and the Privacy Shield Principles, are aligned with the General Data Protection Regulation and are intended to establish a level of data protection comparable to the EU.

The principles were developed in consultation by the European Commission, industry and other stakeholders and are described as the “key component” of the DPF.

On the one hand, they are intended to provide a “ready-to-use mechanism” for data transfers from the EU to the US, and on the other hand, to secure and protect personal data transferred in this way in accordance with EU law. One could therefore say that the principles are a “light” version of the rights and obligations of the GDPR.

However, there is quite justified criticism of the principles, especially from the EDPB as well as from Members of the European Parliament (MEPs).

While the EDPB welcomes the numerous updates to the Principles for the processing of personal data, it also notes that a number of principles remain essentially the same as they were under Safe Harbor and the Privacy Shield (Article 29 Working Party, Opinion 01/2016 on the EU – U.S. Privacy Shield draft adequacy decision).

For this reason, some criticisms that already existed with Safe Harbor and Privacy Shield remain, such as the exceptions to the right of access, the lack of key definitions or the lack of clarity on how the principles apply to processors.

Furthermore, the EDPB directly asks the Commission to be more concrete. Among other things, there should be a clear limit on exceptions to the obligation to comply with the principles.

Furthermore, the opinion also stresses the importance of effective oversight and enforcement of the Privacy Shield in the US.

The EDPB also announces its intention to closely monitor the effectiveness of the newly created remedies available to data subjects.

At the same time, the EDPB also expresses some concern about, among other things, the possible bulk collection of data or the lack of monitoring when it comes to the issue of compliance with the requirements of the GDPR.

Overall, however, the EDPB still sees a need for clarification, especially with regard to practical implementation.

This quite critical position has now also been endorsed by MEPs in their opinion published in April (see press release of 13.04.2023 and resolution of 11.05.2023).

They also shared the view that the proposed DPF, although an improvement compared to the previous mechanisms, was not sufficient to justify an adequacy decision for the transfer of personal data. Their comments made it clear that the European Commission should not issue an adequacy decision for the US on this basis.

Like the EDPB, MEPs point out that the new regulation does not provide sufficient guarantees for a transfer.

The members essentially agree with the points of criticism already made by EDPB, such as the existing possibility of mass collection of personal data, the possibility of US authorities accessing personal data of EU citizens or the fact that the decisions of the court created by the US Executive Order (14086) remain superficial and non-transparent for the data subject and thus violate the right of access and rectification.

MEPs recommend finding a framework that ensures the legally secure transfer of data between the EU and the US. In particular, more legal certainty should be created instead of more legal uncertainty. A DPF set up on shaky legs would risk suffering the fate of its predecessors. 

Also, according to NOYB (“None Of Your Business”), the European Centre for Digital Rights, an adequacy decision in its current form would not withstand review by the European Court of Justice (“ECJ”). This would restart the cycle of negotiations on secure data transfer between the EU and the US.

 

Conclusion

Thus, the question remains open whether the European Commission will adopt the adequacy decision for data transfers on the basis of the DPF currently in force, despite the criticisms of EDPB and MEPs.

However, provided the adequacy decision is issued, European companies can rely on it to transfer data to the US and do so without having to put in place additional data protection safeguards.

 

We will keep you informed about further developments.

 

 

 

NOCH FRAGEN?

Wir freuen uns auf Ihre Anfrage zu diesem und weiteren Themen!

Trans-Atlantic Data Privacy Framework – Part 1

Trans-Atlantic Data Privacy Framework

EDPB Opinion on Trans-Atlantic Data Privacy Framework

Trans-Atlantic Data Privacy Framework

Will GDPR compliant data transfers to the us soon be possible without any problems? – Part I

Introduction

The first part of the series of articles presents an abstract of the non-binding opinion of the European Data Protection Board (EDPB) on the draft “Trans-Atlantic Data Privacy Framework” – the new data protection agreement between the EU and the US.

In the following articles, the individual points of criticism with the demanded need for improvement of the EDPB will be examined in more detail. 

What is it about? 

US laws allow the US intelligence agencies to access personal data either transferred from the EU to the US or processed there. However, personal data enjoys a higher level of protection in the EU than in the US. Therefore, the ECJ has declared the EU-US Privacy Shield 2020 (“Privacy Shield”) invalid in the
so-called Schrems ll case (Case C-3111/18). After “Safe Harbour”, the “Privacy Shield” was the second agreement that served as a safeguard for data transfers to the US. After this second agreement was overturned, a new regulation was needed to ensure adequate data protection. Therefore, a new, third agreement was agreed at the political level: the “Data Privacy Framework”, or “DPF” for short.

In October 2022, US President Biden issued a regulation (US Executive Order (EO) 14086 ) as an outgrowth of the new EU-US agreement, which aims to increase the level of data protection for all individuals affected by surveillance measures, in particular to meet EU data protection requirements for data transfers to the US. The EU Commission subsequently published a draft adequacy decision on 13.12.2022 to declare the US a so-called safe third country on the basis of the new US regulation.  

The European Data Protection Board (EDPB) was asked by the European Commission to give its opinion on the adequacy decision. The EDPB published this opinion on 28.02.2023. This evaluation focuses in particular on the commercial aspects as well as on the access to and use of personal data from the EU by US public authorities.

However, although the assessment highlights critical aspects, the EU Commission does not suggest that the decision be rejected. Rather, the EDPB recommends that the concerns raised be taken into account and that the European Commission provide the requested clarifications to strengthen the reasoning of its draft decision. 

What is the EDPB’s overall opinion on the adequacy decision? 

Overall, the EDPB notes that, as a result of the enacted EO 14086, the US legal
framework now specifies concrete purposes when data may be collected and that principles of proportionality must be taken into account. But close monitoring is needed to ensure that and how the requirements are implemented in practice. This includes reviewing internal policies and procedures at the authority level.

What is the EDPB’s criticism?  

The list is long, and it can be deduced how the draft is to be assessed. The main points of criticism are: 

  • Lack of detailed information on the legal context in the US to better understand the DPF principles, such as the lack of description of the privacy obligations applicable under US law.

  • The Regulation provides for the possibility of limiting the obligation to comply with the principles set out in the DPF. Without full knowledge of US law at both the federal and state levels, the scope of the limitations in the DPF is not clear, so to clarify the scope, the limitations need to be included in the draft decision.

    ·       Unstructured attachments make it difficult to find and look up information.

    ·       Inconsistent use of terms such as “processing”, which can lead to legal uncertainties.

    ·      There is a need to clarify the scope of the right of access of data subjects and to include this in the main text of the adequacy decision and not only as a supplementary explanation in the footnotes.

  • No explanations on the exercise of the right to object.

    ·       Exemption from the contractual obligation for intra-group transfers, so that onward transfers of data may not only take place for limited and specified purposes on the basis of a contract between the DPF organisation and the third party or a comparable agreement within a group of companies, if the third party is also obliged to comply with the level of protection.

    ·       Lack of specific safeguards against the rapid developments in automated decision making and profiling – increasingly using AI technology.

    ·       Reviews of compliance with the DPF principles are limited to formal requirements (e.g., lack of response from designated contact points), although verification of compliance with substantive requirements is crucial.

    ·       Lack of further explanation as to whether legal remedies enable the data subject to obtain access to personal data concerning him or her or to obtain the rectification or erasure of such data.

    ·       Lack of further clarification on the principles and safeguards for further use of data, in particular with regard to applicable rules and safeguards for onward transfers, further use and disclosure of personal data collected for law enforcement purposes in the US and subsequently transferred to third countries, including under international agreements.

    ·       Lack of definition of the term “signals intelligence” information
    obtained by capturing and analysing the electronic signals and communications of a specific target – in EO 14086.

    ·       Lack of dependence of the adoption of the Decision on the adoption of updated policies and procedures to implement EO 14086 by all US intelligence agencies.

    ·       Lack of clarity on the assessment of applicable retention requirements for personal data of US persons, which cannot be used as a benchmark for EU persons in this way.

    ·       The possibility in EO 14086 for the President of the United States to add further targets to the list in relation to the regulation.

    ·       Lack of verification of whether there are international agreements with third countries or international organisations that could provide for specific
    provisions for the international transfer of personal data by intelligence agencies to third countries.

Conclusion on the EDPB opinion 

Overall, the EDPB takes positive note of the fact that EO 14086, compared to the previous legal framework offers significant improvements, particularly with regard to the introduction of the principles of necessity and proportionality of data protection interventions and individual redress for data subjects in the EU.

In view of the criticisms outlined above, the EDPB proposes that the concerns be addressed and that the EU Commission provide the requested clarifications. This would consolidate the rationale of the draft decision and ensure close monitoring of the concrete implementation of this new legal framework, particular the safeguards it provides, in the future joint reviews.

 

NOCH FRAGEN?

Wir freuen uns auf Ihre Anfrage zu diesem und weiteren Themen!