Share This Article
The European Data Protection Board (EDPB) has adopted its opinion on the draft adequacy decision regarding the EU-US data privacy framework on data transfers under the GDPR.
While welcoming the substantial improvements made, the EDPB also expressed concerns and requested clarifications on several points related to the rights of data subjects, onward transfers, temporary bulk collection of data, and the practical functioning of the redress mechanism.
Besides, the EDPB challenged the lack of a requirement of prior authorization by an independent authority to collect data in bulk under Executive Order 12333, as well as the lack of systematic, independent review ex-post by a court or an equivalently independent body.
On the prior independent authorization of surveillance under Section 702 FISA, the EDPB regrets that the FISA Court does not review compliance with Executive Order 14086 when certifying programs authorizing the targeting of non-U.S. persons, even though the intelligence authorities carrying out the program are bound by it. Reports of the PCLOB on how the safeguards of the EO 14086 will be implemented and how these safeguards are applied when data is collected under Section 702 FISA, and EO 12333 would be particularly useful.
Regarding the redress mechanism, the EDPB recognizes the additional safeguards provided, such as the role of the special advocates and the review of the redress mechanism by the PCLOB. However, the EDPB is concerned about the general application of the standard reply of the DPRC, notifying the complainant that either no covered violations were identified or a determination requiring appropriate remediation was issued, especially given that this decision cannot be appealed. The EDPB, therefore, calls on the European Commission to closely monitor the practical functioning of this mechanism.
Based on the above, the EDPB recommends that the entry into force and adoption of the adequacy decision on data transfers between the EU and the US be conditional upon the adoption of updated policies and procedures to implement Executive Order 14086 by all US intelligence agencies. The EDPB emphasizes the importance of a high level of data protection and is committed to contributing to the subsequent reviews of the adequacy decision, which should take place at least every three years.
This detailed analysis highlights how the US does not yet provide the required level of safeguards and follows the position of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs that had urged the European Commission not to adopt adequacy on the EU US data transfers based on the Framework, on the basis that it “fails to create actual equivalence” with the EU in the level of data protection that it provides.
Based on the above, it is expected that EU political bodies will liaise in the short term with the US in order to achieve an efficient solution and enable EU companies to perform safe data transfers to the US and be more competitive in the global market.
Based on the above, the performance of a transfer impact assessment remains paramount, and you can find more details on the DLA Piper methodology on TIAs here. Also, on the same topic, you can read the article “Do you have a data transfer impact assessment methodology based on the Schrems II decision?“.