📢 Important Update: EU-US Data Privacy Framework Agreement Reached! 🌍🤝
In light of this significant development, we have updated our coverage to reflect the latest information. To stay up-to-date on the new EU-US Data Privacy Framework agreement and its implications, we invite you to read our latest article on the topic.
🔍 Discover the latest: EU to USA Personal Data Transfers Now Approved
Thank you for your continued support and trust in our coverage of important global issues!
The EDPB has adopted its opinion on the European Commission’s draft adequacy decision regarding the EU-US Data Privacy Framework (DPF). The DPF is meant to replace the Privacy Shield which was invalidated by the CJEU in the Schrems II judgment and is applicable to U.S. organizations which have self-certified and fall within the jurisdiction of the Federal Trade Commission or the Department of Transportation.
EDPB Chair Andrea Jelinek held that:
“…we think that after the first review of the adequacy decision, subsequent reviews should take place at least every three years, and we are committed to contributing to them.”
The Main findings from the EDPB’s opinion:
- The EDPB applauds the significant advancements made in the DPF, especially the addition of the necessity and proportionality criteria and the individual redress mechanism for EU data subjects. It also considers that the DPF enforcement should be properly monitored and takes into account the DPF enforcement pledges made by U.S. authorities.
- The complexity of the DPF and the absence of several crucial definitions in the language may make it challenging for essential parties to comprehend.
- There may be too many exceptions to the right of access in the DPF, more assurances should be given on potential future transfers of EU data subjects’ personal information, and more security measures are required when using automated decision-making.
- Because the DPF does not mandate prior independent authority approval for bulk data collection, there may not be adequate safeguards in this situation.
- When compared to Privacy Shield, the new redress procedures under the DFC reflect an improvement. The Data Protection Review Court in particular provides strengthened protections, such as independence. Clarifications may still be needed, though, on some issues like judges’ access to information.
- The Data Protection Review Court may not have effectively considered the appropriate balance between the rights of persons and issues of national security in its general adoption of the standard answer.
- The adoption of policies and procedures for its execution by U.S. Intelligence Agencies will determine how effective EO 14086 is. The EDPB thinks that the adoption of stated policies and procedures should be a requirement for both the adoption and implementation of the DPF.
What’s next?
A committee made up of the representatives of the Member States will now have to adopt the DPF.
The European Parliament will probably keep examining the procedure.
Although the EDPB’s Opinion is not legally enforceable, it is anticipated that it will have an impact on how Member State representatives and the European Parliament carry out their separate duties.
