Listen
to
this
post
On
February
28,
2023,
the
European
Data
Protection
Board
(“EDPB”)
issued
its
Opinion
5/2023
on
the
European
Commission
Draft
Implementing
Decision
on
the
adequate
protection
of
personal
data
under
the
EU-US
Data
Privacy
Framework
(the
“Opinion”).
In
the
Opinion,
the
EDPB
recognized
substantial
improvements
in
the
proposed
EU-U.S.
Data
Privacy
Framework
(“DPF”)
when
compared
to
Privacy
Shield,
whilst
also
stating
that
a
number
of
aspects
of
the
DPF
need
to
be
clarified,
developed
or
further
detailed.
Key
Takeaways
from
the
EDPB’s
Opinion
-
The
EDPB
positively
notes
the
substantial
improvements
made
in
the
DPF,
in
particular
as
regards
the
introduction
of
the
principles
of
necessity
and
proportionality
and
the
individual
redress
mechanism
for
EU
data
subjects.
It
also
takes
into
account
the
commitments
by
U.S.
authorities
in
enforcing
the
DPF,
and
considers
that
this
enforcement
should
be
adequately
monitored. -
The
DPF’s
complexity
may
make
it
difficult
for
relevant
stakeholders
to
understand,
and
some
key
definitions
are
also
missing
from
the
text. -
Exceptions
to
the
right
to
access
may
be
too
broad
in
the
DPF,
further
guarantees
should
be
provided
with
regards
to
the
possibility
of
further
transfers
of
data
of
EU
data
subjects,
and
additional
safeguards
are
necessary
in
the
context
of
automated
decision-making. -
The
DPF
does
not
introduce
a
requirement
for
prior
authorization
by
an
independent
authority
for
bulk
collection
of
data,
and
safeguards
in
this
context
may
be
insufficient. -
The
new
redress
mechanisms
under
the
DFC
represent
a
positive
evolution
when
compared
to
Privacy
Shield.
In
particular,
the
Data
Protection
Review
Court
offers
reinforced
guarantees,
for
example,
in
terms
of
independence.
However,
clarifications
on
certain
aspects,
such
as
access
to
information
by
judges,
may
still
be
required. -
The
general
use
of
the
standard
response
by
the
Data
Protection
Review
Court
may
not
adequately
take
into
consideration
the
necessary
balance
between
rights
of
the
individuals
and
considerations
of
national
security. -
The
effectiveness
of
EO
14086
will
depend
on
the
adoption
of
policies
and
procedures
for
its
implementation
by
U.S.
Intelligence
Agencies.
The
EDPB
believes
that
both
the
adoption
and
entry
into
force
of
the
DPF
should
be
made
conditional
on
the
adoption
of
said
policies
and
procedures.
Next
Steps
The
DPF
will
now
need
to
be
approved
by
a
committee
of
Member
States
representatives.
The
European
Parliament
is
also
likely
to
continue
scrutinizing
the
process.
While
the
Opinion
of
the
EDPB
is
not
binding,
it
is
expected
to
influence
both
Member
State
representatives
and
the
European
Parliament
in
their
respective
tasks.