The European Data Protection Board released its nonbinding opinion on the draft adequacy decision based on the EU-U.S. Data Privacy Framework, welcoming what it called “substantial improvements” while expressing concern and requesting clarification on several points.
In a press release, the EDPB applauded requirements of necessity and proportionality for U.S. intelligence gathering of data, as well as a new redress mechanism for EU data subjects.
However, the EDPB has concerns relating to "certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism."
EDPB Chair Andrea Jelinek said, "While we acknowledge that the improvements brought to the U.S. legal framework are significant, we recommend to address the concerns expressed and to provide clarifications requested to ensure the adequacy decision will endure." She also said reviews of the decision should occur at least every three years and the EDPB is "committed to contributing to them."
The EDPB said new redress mechanisms for EU individuals under the draft adequacy framework — including the Privacy and Civil Liberties Oversight Board and Data Protection Review Court — introduce "more effective powers to remedy violations, including additional safeguards for data subjects."
The European Commission published its draft adequacy decision Dec. 13, 2022, paving the way for finalization of the DPF. Both Parliament and the EDPB can present nonbinding opinions for the European Commission to consider towards its adequacy decision.
In its draft opinion published Feb. 14, the European Parliament Committee on Civil Liberties, Justice and Home Affairs rejected the adequacy decision, stating it "fails to create actual equivalence in the level of protection" offered under the EU General Data Protection Regulation. It urged the European Commission to only adopt a decision when "meaningful reforms were introduced, in particular for national security and intelligence purposes" on the part of the U.S.
Jelinek will speak at a LIBE Committee hearing Wednesday, where committee members will discuss a motion on the draft adequacy decision.
Ahead of the opinion, in a letter sent Monday to European Commissioner for Justice Didier Reynders, Members of European Parliament Sophie in‘t Veld and Moritz Körner questioned the European Commission’s participation in the EDPB’s activities and meetings on the adequacy decision. The MEPs asked whether the European Commission's involvement was "limited to the presentation and explanation of the draft decision," or if it was more active in "contributing with edits, wording proposals and drafting contributions."
They also asked whether the European Commission will refrain from participating in EDPB activities related to the "adoption of opinions on its own draft proposals or decisions" to "guarantee the independence of the EDPB and supervisory authorities."
In a tweet, Reynders said, "We will now carefully analyse the (EDPB) opinion on the draft EU-U.S. adequacy decision. This marks another significant step in the restoration of safe transatlantic data flows." He added they will also await the positions of the European Parliament and EU Council.
Commercial and national security aspects
The draft adequacy decision is split into commercial and national security aspects. Of the former, the EDPB "welcomes a number of updates made to the DPF Principles," though it expressed concerns related to some right-of-access exemptions, "the absence of key definitions," as well as the lack of rules related to automated decision making and profiling, among others.
On the government access side of the framework, the "EDPB acknowledges the significant improvements" brought by Executive Order 14086, which introduces necessity and proportionality within U.S. signals intelligence gathering.
The EDPB said it will monitor the application of the principles of necessity and proportionality and seek clarity on bulk data collection, among other specific concerns.
Additionally, "The EDPB also expresses concerns about the lack of a requirement of prior authorisation by an independent authority for the collection of data in bulk under Executive Order 12333, as well as the lack of systematic independent review ex post by a court or an equivalently independent body. With regard to prior independent authorisation of surveillance under Section 702 FISA, the EDPB regrets that the FISA Court does not review compliance with Executive Order 14086 when certifying programmes authorising the targeting of non-U.S. persons, even though the intelligence authorities carrying out the programme are bound by it."
The EDPB called on the European Commission to closely monitor aspects of the redress mechanism and the Data Protection Review Court.
The opinion comes as the Biden administration urges U.S. Congress to renew Section 702 of the Foreign Intelligence Surveillance Act, which was last renewed in 2018. In a statement released Tuesday, U.S. National Security Advisor Jake Sullivan said the White House "strongly supports" Section 702 renewal, as it is the "cornerstone of U.S. national security."
According to The Wall Street Journal, the Biden administration's calls to renew Section 702 are "expected to be a difficult campaign to persuade lawmakers to not curtail spying powers."
This page will stay updated with the latest announcements, analysis and additional resources covering the long-awaited EU-U.S. Data Privacy Framework.
If you want to comment on this post, you need to login.