EU/US: EDPB Welcomes Improvements in the EU-US Data Privacy Framework, but Challenges Remain

By Rachel De Souza on March 6, 2023

Authors: Jim Sullivan, John Magee, Rachel De Souza & Christopher Connell

The European Data Protection Board (“EDPB” or the “Board”) on 28 February 2023, released its non-binding opinion on the draft adequacy decision underlying the EU-US Data Privacy Framework (“DPF”). The Board welcomed the “substantial improvements” to US law concerning signals intelligence gathering of data, such as the introduction of the principles of necessity and proportionality and the new redress mechanism for EU data subjects. While it expressed some discrete areas of concern, the EDPB explicitly emphasized that it “does not expect the US data protection framework to replicate European data protection law”.

Background

In an effort to address the widespread legal uncertainty that has prevailed with respect to transatlantic data transfers since the Schrems II decision by the Court of Justice of the European Union (“CJEU”) in July 2020, President Biden on 7 October 2022 issued Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities (“EO 14086”). In particular, EO 14086 directed US intelligence agencies to take steps to implement US commitments under the new DPF.

Based on those US commitments, the European Commission concluded in its draft US adequacy decision of 13 December 2022 that companies certifying compliance with the DPF Principles can provide EU data subjects with a level of data protection essentially equivalent to that provided in the EU. In connection with the final adoption of that draft adequacy decision, the European Commission requested the non-binding opinion of the EDPB.

The EDPB Opinion

Commercial protection of data

DFP Principles—While the EDPB welcomed several updates to the DPF Principles to which participating organisations must legally adhere, it nevertheless stated that further improvement or clarification would be beneficial with respect to data subjects’ rights to access, the absence of key definitions, the application of the DPF Principles to processors, and the broad exemption for publicly available information.

Onward Transfers—The EDPB requested that the European Commission “clarify that the safeguards imposed by the initial recipient on the importer in the third country, are effective in light of third country legislation, prior to an onward transfer in the context of the DPF.”

Automated Decision-Making and Profiling—The EDPB welcomed the European Commission’s references to specific safeguards provided by relevant US law. However, the EDPB concluded that, given that the level of protection for individuals set forth in such laws varies “according to which sector-specific rules—if any—apply to the situation at hand,” specific rules concerning automated decision-making are needed to ensure sufficient safeguards.

Government protection of data

Necessity and proportionality—While the EDPB recognised that EO 14086 introduced the concepts of necessity and proportionality in the legal framework of signals intelligence, it “underlined the need to closely monitor the effects of these amendments in practice, including the review of internal policies and procedures implementing the EO’s safeguards at agency level” (emphasis added).

Data Protection Review Court—The EDPB similarly recommended that the European Commission continuously monitor whether the redress mechanism provided for in EO 14086 and its supplemental provisions (g., those designed to foster the Data Protection Review Court) are implemented fully and functioning effectively in practice (emphasis added).

Bulk data collection—The EDPB identified the collection of bulk data pursuant to Executive Order 12333 as a particular ‘deficit’ in the DPF, as there is no requirement of prior authorisation by an independent authority or “systematic independent review ex post by a court or an equivalently independent body.”

FISA 702—With respect to prior independent authorisation of surveillance conducted pursuant to Section 702 of the Foreign Intelligence Surveillance Act (“FISA”), the EDPB lamented that “the FISA Court (‘FISC’) does not review a programme application for compliance with the EO 14086 when certifying the programme authorising the targeting of non-US persons, even though the intelligence authorities carrying out the programme are bound by it.”

What Next?

With the release of non-binding decisions on the draft adequacy decision by the EDPB on 28 February 2023 and by the European Parliament’s LIBE Committee on 14 February 2023, the European Commission will next seek formal approval of the draft decision from at least 55 percent of EU Member State representatives.

Assuming that the committee of EU Member State representatives approves the draft decision, the European Commission reportedly intends to adopt a final adequacy decision by July 2023, the third anniversary of the Schrems II ruling. As with the UK adequacy decision, the EDPB opinion calls for any US adequacy decision to be subject to regular reviews and monitoring by the European Commission.

For further information, please contact your usual DLA Piper lawyer.