Legal Alert | EDPB report on the revision of the EU-US Data Privacy Framework

Early this month, the European Data Protection Board (EDPB) issued its report on the first review of the European Commission Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework. The EDPB focused on the assessment of both the commercial aspects of the EU-US Data Privacy Framework (DPF) and the access by United States (US) public authorities to personal data transferred from the European Union (EU) to DPF certified organisations.

On the commercial aspects of the DPF, the EDPB essentially highlighted that:

• The US Department of Commerce has taken necessary measures to set up the certification process for US companies; and
• The DPF’s layered redress mechanism has been updated and implemented, offering multiple, accessible channels for EU individuals to submit complaints.

However:

• The limited number of valid complaints received in the first year of the DPF seems to support the EDPB’s prior concerns that the complaint process should be supported by proactive compliance checks by the relevant US authorities on the DPF’s principles;
• The EDPB encourages the Department of Commerce to produce and release practical guidance concerning the accountability for onward transfer principle of the DPF; and
• The EDPB believes that the persistent difference in interpretation between EU and US authorities regarding the concept of “HR Data” under the DPF needs resolution and urges the Department of Commerce to develop guidance on this issue without delay.

Concerning access by US public authorities to personal data transferred from the EU to DPF certified organisations:

• On the application of the principles of necessity and proportionality, the EDPB acknowledged updates and publication of the US Intelligence Community's internal policies and procedures;
• The EDPB observed that the components of the redress mechanism outlined in Executive Order 14086 are operational; at the time of review, however, no complaints had been filed under the new framework by EU individuals;
• Concerning the reauthorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA), the EDPB noted the legislative changes that enhance privacy protections, emphasizing that Executive Order 14086 fully applies when data access requests are made under Section 702 of FISA.

Nevertheless, the EDPB:

• Expressed that it would have appreciated an opportunity during the periodic review to discuss specific examples illustrating how the principles of necessity and proportionality are interpreted and applied at the agency level;
• Noted that it is unable to comprehensively assess the practical implementation of necessity and proportionality at this stage, emphasising the importance of ongoing, careful monitoring of this issue in future reviews;
• Raised concerns that the recent amendment to the definition of “electronic communication service provider” under Section 702 of FISA does not fulfill the criteria for clear, precise, and accessible legislation;
• Emphasised that an adequate level of protection must also extend to instances where US intelligence agencies acquire personal data from data brokers and other commercial sources, which are not covered by Executive Order 14086. 

On a final note, the EDPB stressed that there are more than 2800 organizations listed as active participants under the DPF, 1100 that had withdrawn from the Data Privacy Framework and 2600 listed as inactive because those participants had let their certification lapse, reminding that the DPF requires the Department of Commerce to verify whether organizations that actively withdraw from the DPF or allow their certification to lapse, either return or delete the personal data obtained under the DPF, or retain same data. If an organization opts to retain the data, it must continue to comply with the DPF principles and designate a contact point for further inquiries. 

The organisations listed as active and inactive participants under the Data Privacy Framework may be consulted here.