Introduction:
The Data Privacy Framework (DPF) is an attempt by the US to replace the invalidated Privacy Shield Agreement. The DPF contains within it a set of guarantees, safeguards and protections that aims to provide essentially equivalent protection to the data of EU citizens when it is transferred and processed within the US. Currently, the European Commission has assessed the DPF and issued a draft adequacy decision. The draft adequacy decision was then considered by the European Data Protection Board (EDPB). The EDPB has now released its opinion on the same. The EDPB welcomed the DPF, however noted that certain issues still persist. This article explores the issues identified by the EDPB and discusses the next steps for European organisations contemplating data transfers.
Specific Issues:
The EDPB acknowledged the changes within the DPF that bring the US regime closer to the requirements of the GDPR; however, it did note areas that the European Commission (EC) may reconsider while finalising the adequacy decision.
- Lack of Consistency in terminology
The EDPB noted discrepancies in terminology within the DPF for example, “agents” and “data processors”. Therefore, the EDPB advised that the EC may seek a clarification regarding consistency in approaches towards terms used in the DPF. The EDPB suggested definitions should be consistent with those in European data protection regimes.
- Rights to Access and Restriction
The EDPB suggested that specifics with respect to timelines and the necessity to respond to access requests if included in the main text of the DPF, could provide clarity. Currently, those aspects are provided as footnotes within the DPF, as was the case within the Privacy Shield Agreement. Additionally, the EDPB recommended that data subject access requests are responded to throughout the life cycle of data processing as opposed to only when data is stored. The above mentioned approach may be necessary to prevent restricting the scope through legal interpretations.
The EDPB found restrictions on the right to access data when such data is collected from public records. This aspect also diverges from the EU regime, where access to data is provided regardless of it being a part of public record.
The EDPB noted that the DPF did not mention the general right of a data subject to object to any processing activity on a compelling legitimate ground. Therefore, the EDPB requested the EC provide a practical analysis of how the right to object to processing is considered within the DPF..
- Onward Data Transfers
The EDPB found the DPF had failed to resolve the concern regarding onwards data transfers. The draft adequacy decision did not contain an analysis of obligations imposed on onwards transfers of data from the US (if granted adequacy) to a third country. Therefore, the EDPB recommended onward transfers may only take place if the third country’s national legislation does not undermine the protections provided by the EU regime.
- Automated Decision Making
The EDPB noted that the DFP does not contain specific rules with regards to automated decision making or processing aided by artificial intelligence tools. While the EDPB understands that US laws provide for certain protections, it found such laws to be fragmented and sector specific, leading to multiple interpretations. Therefore, the EDPB recommended:
- adding specific rules explaining the right of the data subject to seek logic involved,
- providing mechanisms to challenge the decision made and
- ensuring the right to request human intervention when the decision made causes substantial affects.
- Data Processed by Intelligence Agencies
The EDPB noted that the EO 14086 is to be implemented horizontally (by creating agency policies and procedures applicable to day-to-day operations). The EDPB recommended that in the event an adequacy decision is granted, the same should be conditional on the adoption of the policies and procedures of US intelligence agencies. The EDPB also requested the EC reviews such policies and procedures after adoption.
The EDPB also noted the safeguards provided by the DPF in relation to bulk collection of personal data by intelligence agencies. However, the EDPB perceive the persistence of a residual risk and suggested that clear and strict data retention rules must be applicable. Additionally, the EDPB requested clarification on how safeguards on bulk collection will be implemented in practical terms.
- Independence of the redressal mechanism
The proposed data protection review court (DPRC) is different from a convention court as it is established by an Executive Order issued by the US President, making the DPRC a part of the Department of Justice. Therefore, the EDPB expressed concern and recommended that practical implementation of the safeguards provided in the EO 14086 must be also observed closely by the EC.
Conclusion:
Considering the above the EDPB has certainly identified gaps and inconsistencies between the DPF and the EU data protection regime that need to be considered by the EC before finalising the adequacy decision. The EDPB has sought clarification based on the practical implementation of the principles and safeguards that have been described within the DPF. It is also clear that the EDPB is concerned about some unaddressed issues which were points of contention in the Privacy Shield Agreement. This casts a doubt on whether the DPF will hold at the CJEU.
The EDPB is also conscious of the several promises that have been made within the DPF and EO 14086. Therefore, it suggested a conditional adequacy decision may be granted if the above issues are resolved and the EO 14086 is strictly complied with. The EDPB also noted that the review of the adequacy decision, if granted, will take place after one year from the date of its notification, in accordance with Article 45(3) of GDPR. However, subsequent reviews will be conducted, at least, every three years.
Our Recommendations to Organisations:
As next steps, the EC will now submit the draft decision before the EU member state representatives and, if the EC receives formal approval from 55% of the representatives, the adequacy decision will be published and could be used to transfer data to US. In the meantime, our recommendations for organisations contemplating transfers to the US are to:
- Only undertake data transfers when absolutely necessary;
- Consider the most appropriate transfer mechanisms as provided under Chapter 5 GDPR;
- Be aware that only after the final adequacy decision is published can organisations in the EU rely on the decision for data transfers.
Trilateral’s Data protection and Cyber-risk service have significant experience helping our clients achieve compliance with the latest Data Protection and ePrivacy regulations. This includes conducting transfer risk assessments to facilitate necessary data transfers to third countries. Please get in touch with our advisors to discuss your organisation’s requirements.
