This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

Light at the end of the tunnel for EU-US data transfers?

Yesterday the European Data Protection Board (EDPB) published its draft opinion on the draft EU-US Data Privacy Framework (the DPF). The DPF is the European Commission’s replacement mechanism for transferring EU personal data to the US following the invalidation of the Privacy Shield in 2020.

The EDPB’s opinion was expected to take a similar line to the LIBE committee of the European Parliament and urge the Commission to not adopt the DPF. Interestingly, the EDPB took a different stance and did not conclude that the DPF does not create an equivalent level of protection as under the GDPR. Instead, in the EDPB’s opinion, the draft DPF has made substantial improvements compared to the Privacy Shield.

However, the EDPB still has comments on the draft. It identified several places where the DPF remains unchanged from the Privacy Shield and asked the European Commission to clarify a number of points of concern. In particular:

  • That the safeguards for the initial transfer to the US must be effective for any onward transfers to a third country given the laws in that country;
  • That the rules around automated decision making should be clarified further, particularly in the light of developments in AI technologies;
  • How bulk collection is treated in the US and whether prior authorisation needs to be obtained and an independent review of the collection is required; and
  • The lack of transparency with the new Data Protection Review Court’s decisions.

The EDPB noted that it was going to watch the development and enforcement of the DPF closely to ensure that the proposed remedies work in practice. It also suggested that the European Commission’s periodic reviews of the DPF be done every three years (rather than four) and that it should give specific attention to those areas of concern raised by the EDPB.

In terms of next steps, the European Commission now has time to consider the EDPB’s opinion and decide whether to amend the draft DPF. As the draft opinion is non-binding, the European Commission is not compelled to take into account any of the EDPB’s suggestions. Even so, it will be interesting to see whether the overall positive message from the EDPB will encourage amendments in the highlighted areas. In particular, if the European Commission agrees to move approval of the DPF to when the US intelligence agencies have updated their policies and procedures, it will delay the current timeline from July 2023 to October 2023 at the earliest.

EDPB welcomes improvements under the EU-U.S. Data Privacy Framework, but concerns remain


data protection and privacy