EDPB releases lukewarm opinion on the EU-US Data Privacy Framework

EDPB releases lukewarm opinion on the EU-US Data Privacy Framework

The European Data Protection Board (EDPB) has released its opinion on the EU-US Data Privacy Framework (DPF). The draft decision on the DPF, which is currently undergoing the legislative process at the EU level, aims to provide an adequate standard of data protection if personal data is transferred to the US pursuant to it. The EDPB acknowledges the improvements in the DPF when compared to the invalidated EU-US Privacy Shield but still expresses concerns over a number of issues.

The EDPB raise a number of issues and recommendations including:

  • The need to address more of the issues identified by the Article 29 Working Party (the EDPB’s predecessor prior to the GDPR) back in 2016 which assessed and concluded that the Privacy Shield (the previous mechanism designed to facilitate the transfer of personal data between the EU and the US) did not provide adequate protection for personal data in accordance with EU standards.
  • The lack of clarity in the structure contributing to an overall complex presentation of the new framework which makes it difficult for relevant stakeholders to understand.
  • Clarification on the scope of the exemptions, including on the applicable safeguards under US law, in order to better identify the impact of these exemptions on the level of protection for data subjects. For example, the argument that the exemptions to the right to access (also known as data subject access requests) might be too broad.
  • Clarification on the principles and safeguards on the further use of personal data accessed by law enforcement agents in the US – currently there is only one example of the grounds on which further dissemination of such data that has been given.
  • The DPF does not introduce a requirement for prior authorisation by an independent authority for bulk collection of data, and safeguards in this context may be insufficient.
  • Clarification on certain practical aspects of the Data Protection Review Court which is the new redress mechanism under the DPF that acts as an independent ombudsman mechanism to deal with complaints.
  • Clarity as to the European Commission’s assessment of the retention rules applicable to personal data of US persons for national security purposes given personal data should only retained for as long as necessary.

The EDPB’s mixed reaction to the DPF follows the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) objections to the DPF, as it “fails to create actual equivalence” with the EU level of data protection. Despite it being a non-binding decision, the European Commission will “carefully analyse” the EDPB’s opinion while we eagerly anticipate the positions of the European Parliament and Council.

See the EDPB’s full opinion here.

Recent posts

Previous
Next
The UK's data protection regulator publishes a new code of conduct for UK private investigators and litigation services
Read more
Unable to row the distance: No copyright in a rowing machine as a work of artistic craftsmanship (WaterRower v Liking)
Read more
The wait is over – Sky v SkyKick decision handed down today
Read more
Autumn Budget 2024: Headlines
Read more
The Final Word
Read more
The UK's new Data (Use and Access) Bill has been introduced into Parliament
Read more
New reforms but a long wait for change: government publishes Employment Rights Bill draft
Read more
The UK's Data Protection Regulator begins its modernisation plans
Read more
A cautionary tale of lessons learnt in cases involving crypto fraud from D'Aloia v Persons Unknown Category A & Ors [2024]
Read more
‘This is a true story’: A lesson learnt from ‘Baby Reindeer’ for shows dramatising the lives of real people
Read more

More from this author

Previous
Next
The UK's data protection regulator publishes a new code of conduct for UK private investigators and litigation services
Read more
The UK's new Data (Use and Access) Bill has been introduced into Parliament
Read more
Facial Recognition Technology: skip the DPIA and face the consequences
Read more
The new UK government announce the Digital Information and Smart Data Bill
Read more
What businesses should consider before implementing monitoring
Read more
'Consent or pay’: the EDPB’s two cents on the right model
Read more
The Government moves to address unlawful immigration exemption under the Data Protection Act 2018
Read more
Byte by Byte: The progress of the UK Data Protection and Digital Information Bill
Read more
The UK Government bridges the gap for UK-US personal data transfers
Read more
The Culture, Media and Sport Committee’s recommendations on monitoring employees
Read more
DATA DEFENCE IN THE METAVERSE: IT'S NOT A GAME
Read more
The Government’s attempts to safeguard the immigration exemption under the Data Protection Act fails in the High Court
Read more
Navigating the grey areas of AI ethics: ICO's updated guidance provides clarity on utilising AI
Read more
ICO focusses on child protection in latest guidance to the games industry
Read more
Government to replace the UK GDPR
Read more

Share this page