The European Data Protection Board (EDPB) has issued its Opinion 5/2023 on the European Commission’s Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework.
Background
The European Commission published a draft adequacy decision regarding a new framework for transatlantic exchanges of personal data, the EU-U.S. Data Privacy Framework (DPF). The DPF is meant to replace the previous US-Privacy Shield, which was invalidated by the Court of Justice of the European Union (CJEU) in 2020 in the Schrems II case. The EU-US Data Privacy Framework Principles are a key component of the new framework.
Under Article 70(1) of the General Data Protection Regulation (GDPR), the Commission requested the EDPB’s opinion on the Draft Decision. The EDPB assessed the adequacy of the level of protection afforded in the USA, taking into account the applicable EU data protection legal framework as set out in the GDPR, the fundamental rights to private life and data protection, the right to an effective remedy and a fair trial, and the requirements of the Adequacy Referential adopted by the EDPB.
Objective
The EDPB’s objective is to give an opinion on the protection afforded to individuals whose personal data is transferred to the US. To provide an adequate level of protection, Article 45 of the GDPR and the case law of the CJEU require the third country’s legislation to provide data subjects with a level of protection equivalent to that guaranteed in the EU.
General Data Protection Aspects
The DPF provides that adherence to the DPF Principles by DPF organizations may be limited in some cases. To better identify the impact of these exemptions on the level of protection for data subjects, the Commission should include in the Draft Decision clarification on the scope of the exemptions, including the applicable safeguards under US law.
The DPF Principles to which the DPF organizations must adhere remain essentially unchanged. For the DPF Principles that are substantially unchanged, the EDPB considers it unnecessary to repeat all comments previously made by the Article 29 Working Party.
The level of protection of individuals whose data is transferred must not be undermined by onward transfers from the initial data recipient. The Commission should clarify the safeguards imposed by the initial recipient on the importer in the third country. These must be effective in light of third-country legislation prior to an onward transfer in the context of the DPF.
Automated Decision-Making and Profiling
Developments in the field of automated decision-making and profiling call for particular attention. Specific rules concerning automated decision-making are needed to provide sufficient safeguards, including the right for the individual to know the logic involved, to challenge the decision, and to obtain human intervention when the decision significantly affects them.
Redress Mechanisms
Seven redress avenues are provided to EU data subjects whose data are processed in violation of the DPF. These mechanisms are the same as those included in the former Privacy Shield. The effectiveness of these redress mechanisms will be closely monitored by the EDPB, including in the context of the periodic reviews.
Access and Use of Personal Data Transferred from the EU by US Public Authorities
Finally, the entry into force and adoption of decisions should be conditional upon the adoption of updated policies and procedures to implement Executive Order (EO) 14086 by all US intelligence agencies. The Commission should assess these updated policies and procedures and share this assessment with the EDPB.
Although the EDPB Opinion is non-binding, it will likely influence Member State representatives and the European Parliament in their respective tasks.