On February 28, 2023, the European Data Protection Board (“EDPB“) published its opinion (“Opinion“) on the draft adequacy decision for the EU-US DPF (“Draft DPF”) and concluded that the US legal framework – together with the US Executive Order 14608 (“EO“), provides comparable safeguards to those of the EU and that the US ensures an adequate level of protection for personal data transferred from the EU to US companies.
As you may recall, on December 13, 2022, the EU Commission launched the process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework, which will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II.
The Draft DPF is based on a system of certification by which U.S. organizations commit to a set of privacy principles – the ‘EU-U.S. Data Privacy Framework Principles’, including the Supplemental Principles (together: the Principles) – issued by the U.S. Department of Commerce (DoC) (see Annex I here).
Below please see a summary of the opinion:
Assessment of US legal framework: the Opinion explains that the Commission shall take into account, as part of the assessment of the US legal framework, inter alia, the international commitments the US has entered into in the field of the protection of personal data, such as the US participation in the Budapest Convention on Cybercrime, the OECD Privacy Framework, and the Asia-Pacific Economic Cooperation (‘APEC’) Cross-Border Privacy Rules (CBPR) system.
Assessing data subjects’ rights under the Draft DPF, and mainly the right of access – the EDPB raise certain points of concern. First, regarding the right of access shall be granted to individuals broadly where their personal data is processed and not only when it is ‘stored’. Second, the exceptions listed under the Draft DPF, and precisely the exception to the right of access for publicly available information and information from public records, remains a concern as such restriction diminishes individuals’ ability to control the accuracy of the data and to control whether the data were lawfully made public in the first place.
Regarding EU identifiable HR data (past or present employees) collected in the context of the employment relationship, transferred to and used by a US organization (i.e., a parent, affiliate or unaffiliates service provider in the US) for non-employment-related purposes, such as marketing communications, the Draft DPF requires that the US organization obtains applicable employees’ consent. However, the EDPB maintains that such consent will rarely be entirely free, as required under EU laws, when given in an employment context.
In addition, the Opinion highlights the rapid developments in the field of automated decision-making and profiling – increasingly by means of AI technologies, which call for particular attention with regards to the conditions for obtaining necessary safeguards. For example – the right to be informed about the specific reasons underlying the decision and the logic involved, to correct inaccurate or incomplete information, and to contest the decision where it has been adopted on an incorrect factual basis. Such automatic decision-making is likely to perform also by a US-based controller in the context, for example, of employment for assessing performance at work.
Moreover, the Opinion details that ‘bulk collection’ of data (i.e., the collection of large quantities of signals intelligence data which is acquired without the use of discriminants) allows access to data in transit to the US without any judicial review and delimitation, and hence requires additional safeguards which are not guaranteed in full by the EO. For example: (1) although bulk collection is subject to necessity objectives, such objectives are too broad; and (2) the process is not subject to independent prior authorization which is required in order to minimize the risk of the bulk interception power being abused.
Last, the Opinion concludes that the system for access to data for US law enforcement purposes, could be considered as generally meeting the requirements of necessity and proportionality in relation to the fundamental rights to private life and data protection, and a fairly robust independent oversight mechanism is in place.
In its conclusion, the EDPB calls on the Commission to carry out subsequent reviews monitoring the US adequacy decision at least every three years.
Next steps: the EU Commission will need to obtain the green light from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions.
Only after that, the European Commission can adopt the final adequacy decision, which would allow data to flow freely and safely between the EU and US companies certified by the Department of Commerce under the new framework.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as binding legal advice, but rather a practical overview based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
APM Technology and Regulation Team.