The European Data Protection Board (EDPB) has issued a long-awaited opinion on the EU-US Data Privacy Framework.

Here are some key takeaways:

The Commercial Part:

  • The scope of the exemptions to the adherence to the principles, including on the applicable safeguards under U.S. law, must be clarified. In addition, the Commission should be informed of and monitor the application and adoption of any statute or government regulation that would affect adherence to the DPF Principles.
  • The DPF Principles are identical to the Privacy Shield Principles and all issues stated by the WP29 in its 2016 opinion continue to apply, as do all of the comments made in the past joint reviews.

Some Specifics:

  • The principles need to clarify which of the DPF Principles are applicable to DPF Organizations that are “processors” or “agents,” and which are applicable to “controllers.”
  • The exceptions to the right of access should be assessed, specifically with respect to publicly available information.
  • The right to object to processing should be added, and it should not only be part of the privacy notice but rather presented in a way that makes exercising it feasible.
  • Address further processing of HR data. Further processing of HR data for nonemployment-related purposes will in most cases be considered incompatible with the original purpose, and that consent will rarely be entirely free when given in an employment context.

Onward Transfers Must Be Addressed Better:

  • Intra group transfers should not be carved out of the requirements.
  • Organizations bound by the framework should assess prior to an onward transfer that the mandatory requirements of the third country’s national legislation applicable to the recipient would not undermine the continuity of protection of the data subjects whose data is transferred.

Automated Decision Making:

  • Specific rules concerning automated decision-making are needed in order to provide sufficient safeguards, regardless of which sector . That includes the right for the individual to know the logic involved, to challenge the decision and to obtain human intervention when the decision significantly affects him or her.
  • It cannot be ruled out that automated decision-making could be used by a US-based controller on data transferred under the Draft Decision (e.g. in the context of employment, for assessing performance at work, insurance and housing.

Enforcement Mechanisms:

  • Oversight by the FTC has to be effective (also regarding the substantive requirements) and must be monitored, including by the EDPB in the periodic reviews.
  • EDPB would welcome further information (i) as to whether the EU DPA’s possibility to give advice on remedial or compensatory measures could include recommendation for fines or the use of investigative powers and (ii) to which extent the EU DPA’s action would be taken into account as evidence for enforcement action by the FTC or the DoT.

The NSA Ate My Cookies Part:

  • Not only the entry into force but also the adoption of the decision are conditional upon inter alia the adoption of updated policies and procedures to implement EO 14086 by all US intelligence agencies.
  • The Commission should assess these updated policies and procedures and share this assessment with the EDPB.
  • Additional clarification is needed on questions, in particular, relating to “temporary bulk collection,” and to the further retention and dissemination of the data collected (in bulk) in the U.S. legal framework.
  • Clarification is also needed as to whether there are any relevant international agreements concluded with third countries or international organizations that may provide for specific provisions for the international transfer of personal data by intelligence services to third countries. The Commission should assess whether the provisions of international agreements may affect the level of protection afforded to personal data transferred from the EEA by the legislative framework and practices in relation to onward transfers for national security purposes.
  • The safeguards of the EO 14086 should be implemented and applied when data is collected under Section 702 FISA and EO 12333 and the PCLOB reports should be reviewed to see whether this is indeed the case.
  • The EDPB remains concerned that the possibility to collect data in bulk, i.e. without discriminants, is still provided without key safeguards such as prior authorization to collect these data.
  • The effects of amendments in the concepts of necessity and proportionality need to be assessed in practice, including the review of internal policies and procedures implementing the EO’s safeguards at agency level.
  • The Commission should suspend, repeal or amend the adequacy decision on grounds of urgency, in particular if the U.S. Executive would decide to restrict the safeguards included in the EO.
  • The specific redress mechanism created under EO 14086 in the data protection rights court (DPRC) as opposed to redress in Article III courts is not per se insufficient and the safeguards provided do not give reason to doubt the DPRC’s independence.
  • The EDPB recognizes that the decisions of the DPRC are indeed reasoned. However, the Commission should closely monitor how the standard response of the DPRC – notifying the complainant that either no covered violations were identified or a determination requiring appropriate remediation was issued, and its non-appealability, taken together – actually works in practice.
  • After the first review, scheduled for one year from notification of adequacy, the Commission should carry out the subsequent reviews at least every three years with any relevant documentation to be shared in writing with the EDPB, including correspondence, sufficiently in advance of the reviews.