EDPB sees the glass half full on the EU-U.S. Data Privacy Framework

Background

The Commission’s Draft Decision of 13 December 2022 on the DPF is based on a self-certification mechanism similar to the invalidated EU-U.S. Privacy Shield and takes into account the changes in U.S. law introduced by Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”). In light of these changes, the Commission concludes that companies certifying compliance to the principles outlined in the DPF (“DPF Principles”) can provide European data subjects with a level of data protection that is “essentially equivalent” to that provided within the EU when their personal data is transferred to the U.S. (see our previous article here).

As part of the adoption procedure of a final adequacy decision, the Commission requested the opinion of the EDPB on the Draft Decision. In its Opinion, the EDPB evaluated the adequacy of the level of protection afforded in the U.S. in light of the assessment of the Draft Decision.

Key Findings of the EDPB

The EDPB stresses that the test of essential equivalence under the GDPR does not require that the data protection safeguards in third countries are identical to those in the EU. Rather, the question is whether the data protection safeguards applied in the processing cycle are in their entirety adequate.

In order to make this overall assessment, the EDPB considers two key elements:

• The DPF itself.
• The ability of U.S. authorities to access and use transferred personal data under U.S. national security laws.

With respect to the DPF itself, the EDPB notes that the DPF Principles to which certifying organizations must comply are essentially unchanged from the Privacy Shield. However, this is not necessarily a concern because the issues with Privacy Shield that were identified by the CJEU in Schrems II related to U.S. authorities’ ability to access transferred personal data under U.S. law, rather than to the Privacy Shield framework itself.

With respect to U.S. authorities’ ability to access transferred personal data under U.S. law, the EDPB finds that overall, EO 14086 has "significantly improved” the U.S. legal framework by requiring that U.S. signals intelligence activities are carried out in accordance with the concepts of necessity and proportionality, as well as by providing a new redress mechanism for EU individuals. In particular, the EDPB acknowledges that in comparison to the mechanism available under the Privacy Shield, EO 14086 provides more safeguards for the independence of the Data Protection Review Court (“DPRC”) and more effective powers to remedy violations.

Amidst the overall positive tone, the EDPB does nevertheless identify some discrete areas where it believes that further improvements are possible. We set these out below.

Potential improvements to the DPF

The EDPB makes some general remarks that the presentation of the DPF is complex and could usefully be simplified, that terms and concepts are not always defined, used consistently and/or adequately explained, and that the Commission’s Draft Decision could usefully provide more detail, particularly in relation to how the DPF interacts with U.S. law. It also sets out a few more specific concerns:

• Rights of access and objection. The EDPB raises some concerns with the exceptions to data subjects’ right of access (particularly in respect of the exemption for publicly available data) and also with the lack of clarity on how individuals may exercise their right to object.
• Application to processors. The EDPB notes that it is unclear whether the DPF applies to processors. This aspect has always been challenging, as none of the previous frameworks have specifically addressed the European controller/processor dichotomy either.
• Onward transfers. The EDPB notes that onward intra-group transfers may be possible without a contract being in place, and that more generally there is no requirement to carry out transfer impact assessments in respect of onward transfers.
• Profiling and automated decision making. The EDPB notes that the DPF does not contain any safeguards with respect to automated decision-making with legal or similarly significant effects. It acknowledges that these safeguards will sometimes apply pursuant to sector-specific U.S. law, but notes that this will not lead to consistent protection.

Having said the above, it is important to note that these issues were also relevant to the previous EU-U.S. Privacy Shield framework and, while some had been identified in previous EDPB Opinions and Joint Reviews of the Privacy Shield, they were not invoked by the CJEU as reasons for invalidating the Privacy Shield.

Issues with regard to data access for U.S. national security purposes

In light of the European Essential Guarantees for surveillance measures framed by the EDPB (see our article here), the EDPB identified some remaining issues related to data access by U.S. national security authorities:

• With regards to the requirement that processing by intelligence agencies should be based on clear, precise and accessible rules (“Guarantee A”), the EDPB notes that requirements laid down in EO 14086 must be further implemented through agency policies and procedures that transpose them into concrete directions for day-to-day operations.
• With regards to the requirement that signals intelligence activities must be conducted only as far as necessary and proportionate for legitimate objectives (“Guarantee B”), the EDPB flags (among others) that, despite additional safeguards provided under EO 14086, the possibility to collect data in bulk, i.e. without discriminants, is still provided under U.S. law. Particularly, bulk data collection by U.S. intelligence agencies does not need to be authorized and is not systematically reviewed ex post by an independent authority. The EDPB also points out that, while intelligence authorities are bound by the EU 14086, the Foreign Intelligence Surveillance Court (“FISC”) does not review compliance with the EO 14086 when certifying bulk data collection programs.
• In light of the guarantee for an independent oversight mechanism (“Guarantee C”), the EDPB (among a few other points) maintains its concerns that the FISC as external oversight body does not provide effective judicial oversight on the targeting of non-U.S. persons which appears not to be resolved by the new EO 14086.
• With regards to effective judicial remedies (“Guarantee D”), the EDPB picks up on the legal discussion whether judicial redress via the DPRC, which is part of the executive branch and not an ordinary court established by the U.S. Congress, could meet the requirements under Article 47 EU Charter of Fundamental Rights. The EDPB particularly criticizes that the DPRC only applies standard responses about its findings to complainants and that the ruling cannot be appealed. It also flags that the designation of the EU as a qualified entity for the purposes of the redress mechanism is an essential prerequisite for the entry into force of the adequacy decision. Overall, the EDPB concludes that the specific redress mechanism is not per se insufficient, and that the Commission should continuously monitor whether the rules set forth in EO 14086 to foster the DPRC’s independence are fully implemented and are functioning effectively in practice.

Recommendations by the EDPB

The EDPB recommends that the Commission shall make the adoption and entry into force of the adequacy decision conditional upon the adoption of the updated policies and procedures which shall be implemented by U.S. intelligence agencies according to the EO 14086. After assessing these updated policies and procedures the Commission shall inform the EDPB.

Also, the EDPB makes the following suggestions with regard to the contents of the adequacy decision:

1. The Commission should clarify the scope of exemptions under which companies may diverge from the DPF Principles.
2. The Commission should clarify the safeguards imposed by the initial data recipient on other importers in the context of onward transfers.
3. The questions raised regarding bulk data collection should also be clarified.

Finally, the EDPB stresses that the Commission must observe and periodically check compliance of the practical application of the new legal framework with the adequacy decision and the DPF, in particular with regard to the requirement of effective oversight and enforcement of the DPF, as well as the redress mechanisms under U.S. law.

If provided, the above clarifications will solidify the grounds for the Draft Decision.

What’s next?

As a crucial next step, the Commission needs the approval of the Draft Decision from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. After these steps, the Commission can adopt the final adequacy decision which would allow the data transfer from the EU to certified U.S. companies. The adoption of the final adequacy decision is currently expected for summer 2023. In the meantime and from a practical perspective, it is recommended that companies continue to rely on existing transfer mechanisms, such as Standard Contractual Clauses and BCRs, for data transfers to the U.S. (see our detailed recommendations here). In any event, the largely positive but rigorous assessment by the EDPB will also be a factor to consider in the context of transfer impact assessments.

Authored by: Eduardo Ustaran, Henrik Hanssen, Michael Thiesen, Nick Westbrook.