The European Data Protection Board (EDPB) has released its opinion on the EU-US Data Privacy Framework (DPF). The draft decision on the DPF, which is currently undergoing the legislative process at the EU level, aims to provide an adequate standard of data protection if personal data is transferred to the US pursuant to it. The EDPB acknowledges the improvements in the DPF when compared to the invalidated EU-US Privacy Shield but still expresses concerns over a number of issues.

The EDPB raise a number of issues and recommendations including:

  • The need to address more of the issues identified by the Article 29 Working Party (the EDPB’s predecessor prior to the GDPR) back in 2016 which assessed and concluded that the Privacy Shield (the previous mechanism designed to facilitate the transfer of personal data between the EU and the US) did not provide adequate protection for personal data in accordance with EU standards.

  • The lack of clarity in the structure contributing to an overall complex presentation of the new framework which makes it difficult for relevant stakeholders to understand.

  • Clarification on the scope of the exemptions, including on the applicable safeguards under US law, in order to better identify the impact of these exemptions on the level of protection for data subjects. For example, the argument that the exemptions to the right to access (also known as data subject access requests) might be too broad.

  • Clarification on the principles and safeguards on the further use of personal data accessed by law enforcement agents in the US – currently there is only one example of the grounds on which further dissemination of such data that has been given.

  • The DPF does not introduce a requirement for prior authorisation by an independent authority for bulk collection of data, and safeguards in this context may be insufficient.

  • Clarification on certain practical aspects of the Data Protection Review Court which is the new redress mechanism under the DPF that acts as an independent ombudsman mechanism to deal with complaints.

  • Clarity as to the European Commission’s assessment of the retention rules applicable to personal data of US persons for national security purposes given personal data should only retained for as long as necessary.

The EDPB’s mixed reaction to the DPF follows the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) objections to the DPF, as it “fails to create actual equivalence” with the EU level of data protection. Despite it being a non-binding decision, the European Commission will “carefully analyse” the EDPB’s opinion while we eagerly anticipate the positions of the European Parliament and Council.

See the EDPB’s full opinion here