On 28 February 2023, the European Data Protection Board – the EU body responsible for the consistent application of the GDPR across EU member states (EDPB) – adopted its opinion (EDPB Opinion) on the proposed EU-U.S. draft adequacy decision (DPF Adequacy Decision). Such opinions are issued by the EDPB in the context of the European Commission’s (EC) legislative consultation process. Although such opinions are non-binding, they carry significant political influence in the EC.
While the EDPB Opinion flags areas of concern and uncertainty regarding the DPF Adequacy Decision, its overall position appears to be cautiously optimistic. The EDPB Opinion is therefore in stark contrast to the European Parliament's draft opinion (EP Opinion) on the DPF Adequacy Decision, which advised against its adoption unless further changes were made.
For more information on the EP Opinion, as well as the background to the EP Opinion and DPF Adequacy Decision, see our previous alert here.
The EDPB Opinion identifies various positive aspects of the DPF Adequacy Decision, flags several areas of concern and uncertainty, and calls on the EC to clarify, monitor and to be on standby to enforce compliance, if required.
Positive aspects of the DPF Adequacy Decision. Among other aspects, the EDPB takes a positive view of the DPF Adequacy Decision's:
- Redress mechanism – the EDPB notes that the redress mechanism available under the DPF Adequacy Decision is a significant improvement compared to the predecessor framework, the EU-U.S. Privacy Shield (Privacy Shield), due to its additional safeguards and enhanced independence, and that a "fairly robust" oversight mechanism was in place.
- Limitations on bulk collection – the U.S. government's ability to undertake bulk collection of EU personal data has been a significant source of tension predating Privacy Shield and has been consistently flagged by privacy activists. The EDPB welcomes the fact that Executive Order 14086 (the Executive Order issued by President Biden that sets out key commitments of the DPF Adequacy Decision) specifies the purposes for which bulk collection may take place, although the EDPB also notes that such purposes may be updated with additional objectives which may not be disclosed to the public. The measures that are available for U.S. law enforcement authorities to access personal data from the EU were also deemed by the EDPB to generally meet the requirements of necessity and proportionality.
Areas of concern and uncertainty. The EDPB flags several practical aspects of the DPF Adequacy Decision as areas of concern, including:
- DPF Principles – the EDPB notes that the structure and terminology of the principles underpinning the DPF Adequacy Decision (DPF Principles) are inconsistent and confusing, and may contribute to a limited understanding of the DPF Principles by enforcement authorities, organizations and individuals.
- Temporary bulk collection – there is uncertainty regarding the legality of temporary bulk collection of personal data. The EDPB notes that such processing is, in effect, a derogation from the safeguards provided for in Executive Order 14086, as the safeguards in Executive Order 14086 do not apply to temporary bulk collection of personal data (on the basis that such temporary bulk collection is required to "facilitate targeted collection"), and there is no requirement for prior authorization or an ex-post review to provide oversight over such temporary bulk collection.
- Automated decision-making safeguards – the safeguards regarding automated decision-making under U.S. law are sector-specific, and the EDPB highlights that the framework under the DPF Adequacy Decision (DPF Framework) should minimize the likelihood of individuals falling outside such safeguards by providing broader rules to maintain individuals’ rights in this context. The EDPB Opinion also calls for specific rules to improve the transparency of automated decision-making and for individuals to challenge or obtain human intervention in such automated processing.
- Redress mechanism independence – the Data Protection Review Court (DPRC) is to be set up as an executive body within the U.S. government, instead of the judiciary. Although the EDPB considers that effective judicial protection and redress may be provided by bodies other than formal courts, how such independence operates in practice should be monitored, along with the effectiveness of the DPRC as a redress mechanism, particularly as the decision of the DPRC is final and cannot be appealed to a judiciary.
- Privacy Shield principles issues – the EDPB also notes that the DPF Principles are "substantially unchanged" from the Privacy Shield principles, and therefore certain areas of concern persist. These include the absence of key definitions, the lack of clarity in relation to the application of the DPF Principles to processors, and the broad exemption for publicly available information.
EC calls to action. The EDPB Opinion calls on the EC, among other actions, to:
- Clarify aspects of the DPF Adequacy Decision – according to the EDPB, further clarification is required regarding various aspects of the DPF Adequacy Decision, including: (a) the safeguards implemented in respect of onward transfers of personal data; (b) how individuals may exercise their rights to access, rectify and object to processing under the DPF Adequacy Decision; (c) how U.S. state laws apply to protect personal data originating from the EU; and (d) the principles and safeguards applicable to U.S. law enforcement authorities regarding their further use of transferred personal data (including how the internal policies and procedures of such authorities implement the safeguards introduced by Executive Order 14086 and protect against the unlawful access of personal data in practice).
- Reassess the DPF Adequacy Decision, if required – the EDPB also notes that the EC should be prepared to suspend, repeal or amend the DPF Adequacy Decision, if necessary, in line with the EC's commitments set out in the DPF Adequacy Decision.
The EDPB Opinion adopts a more pragmatic and positive assessment on the DPF Adequacy Decision than the EP Opinion. Several issues identified in the EP Opinion (such as the independence of the DPRC) are also highlighted in the EDPB Opinion, although they are effectively treated with a wait-and-see approach, as opposed to an outright shortcoming preventing the adoption of the DPF Adequacy Decision. The EDPB Opinion also takes into account several practical and broader considerations, such as how the wider U.S. legal framework affects the functioning of the DPF Adequacy Decision in practice, before determining whether an issue would be an area of concern.
However, the EDPB Opinion by itself still fails to provide significant comfort for those organizations considering certification to the DPF Principles. On the one hand, the DPF Framework should be familiar to organizations – particularly organizations previously certified to Privacy Shield, as the principles and eligibility criteria concerning both frameworks are substantially similar. On the other hand, the durability of the DPF Adequacy Decision remains up for debate – particularly as several concerns with Privacy Shield appear to still persist with the DPF Framework, which are only likely to further encourage privacy activists, such as Max Schrems of the eponymous Schrems II case, to issue a future legal challenge to the DPF Framework.
The EDPB Opinion may influence the finalized version of the EP Opinion (which is still currently in draft form), although its impact on the DPF Adequacy Decision will be of greater interest to organizations. As with the EP Opinion, while the EDPB opinion is non-binding, it carries considerable influence and may lead to further negotiations and amendments to the DPF Adequacy Decision.
This could in turn delay its final adoption date or potentially cause the EC to refuse to adopt the DPF Adequacy Decision. However, if the EC adopts the DPF Adequacy Decision without any further amendments or clarification both opinions may ultimately increase the likelihood of legal challenges to the DPF Adequacy Decision, given that they effectively provide clear avenues for challenge.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.