Background
On July 10, 2023, the European Commission adopted the adequacy decision on the EU-U.S. Data Privacy Framework (DPF), which applies to commercial entities processing data transferred from the EU. DPF requires regular reviews and the first periodic review meeting was held in Washington D.C. on July 18 and 19, 2024, one year after the decision’s adoption.
On November 5, 2024, the European Data Protection Board (EDPB) adopted its first report under the DPF and a statement on the recommendations concerning access to data for law enforcement.
Key Developments and Findings
The EDPB noted several positive developments, while it also identified several points requiring additional clarification and attention during the first periodic review:
- The U.S. Department of Commerce has been proactive in implementing the certification process for companies, including the development of a new website, updating procedures, engaging with companies, and conducting awareness-raising activities.
- Τhe DPF redress mechanism for EU individuals has been successfully implemented and comprehensive complaint-handling guidance is now available on both sides of the Atlantic. However, the EDPB highlighted the low number of complaints received so far, emphasizing the need for U.S. authorities to initiate monitoring activities to ensure the compliance of DPF-certified companies with the DPF Principles.
- In terms of U.S. Public Authorities’ access to data, the EDPB focused on the effective implementation of safeguards introduced by Executive Order 14086, including the principles of necessity and proportionality and the new redress mechanism.
- The EDPB encourages U.S. authorities to develop clear guidance for DPF-certified companies, particularly regarding the transfer of personal data received from EU exporters and the definition of HR Data under the DPF.
- The EDPB calls on the European Commission to monitor, among others, the developments related to the U.S. Foreign Intelligence Surveillance Act, particularly Section 702, which governs electronic surveillance targeting non-U.S. persons who are reasonably believed to be outside of the United States to obtain foreign intelligence information.
- The EDPB stresses the importance of ensuring adequate protection regarding the governmental acquisition of personal data from data brokers and other commercial entities not covered by Executive Order 14086. The Commission should further assess and monitor this form of government access.
Statement on HLG Recommendations
In addition to the report, the EDPB issued a statement on the recommendations of the high-level group (HLG) on access to data for effective law enforcement:
- The EDPB emphasized the need to safeguard fundamental rights when law enforcement agencies access personal data. While supporting effective law enforcement, the EDPB raised concerns about the potential intrusiveness of some HLG recommendations, particularly regarding privacy and family life.
- The EDPB noted that while the recommendation for a level-playing field on data retention is positive, a broad obligation for all service providers to retain data could significantly interfere with the rights of individuals. The EDPB questioned whether such measures would meet the necessity and proportionality requirements of the EU Charter of Fundamental Rights and CJEU jurisprudence.
- The EDPB also stressed the importance of preserving the effectiveness of encryption. Recommendations that could weaken encryption, such as client-side processes allowing remote access to data before encryption, were criticized.
You may find EDPB’s report on the first review of EU-U.S. Data Privacy Framework (DPF), as well as the statement on the recommendations of the high-level group (HLG) on access to data for effective law enforcement, in EDPB’s official website.
