EDPB Adopts Opinion on the EU-U.S. Data Protection Framework

On February 28, 2023, the European Data Protection Board (EDPB) adopted Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework (Opinion 5/2023), the latest development in the adoption of the EU-US Data Protection Framework (DPF). The DPF is intended to be a replacement for the Privacy Shield, which was invalidated by the Court of Justice of the European Union (CJEU) in the Schrems II decision in July 2020. However, the adoption of Opinion 5/2023 is not the decisive step forward for the DPF that transatlantic businesses may have hoped for.

Opinion 5/2023 follows the European Commission’s publication of its draft Adequacy decision for the EU-US Data Privacy Framework on 13^th December 2022 (Draft Adequacy Decision) and the Committee on Civil Liberties, Justice and Home Affairs (LIBE) committee of the European Parliament’s draft Resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework (2023/2501(RSP)) on 14^th February 2023 (LIBE Resolution). The LIBE Resolution, while only in draft form, recommended that the European Commission reject the DPF on the basis that the proposed framework fails to create actual equivalence in the level of protection, and that meaningful reforms need to be in place.

The EDPB’s key objective is to provide an opinion to the European Commission on the adequacy of the level of protection afforded to individuals whose personal data is transferred to the United States. Opinion 5/2023 makes a non-binding recommendation that the European Commission should make a number of changes to its Draft Adequacy Decision. However, Opinion 5/2023 does not take a firm position on the DPF. The opinion welcomes a number of changes that the DPF would introduce, but also expresses reservations and recommends the ongoing monitoring of a number of specific aspects of the DPF.

Of particular note, the EDPB makes the following comments and observations in Opinion 5/2023:

1. The EDPB does not expect the US data protection framework to replicate European data protection law, but to provide data subjects with a level of protection essentially equivalent to that guaranteed in the EU.
2. Because the DPF principles are updated but essentially unchanged from those of the Privacy Shield, the EDPB expresses concerns about specific aspects that are currently most relevant in light of legal and technical developments regarding the DPF onward transfer principle (s.2.1.4); lack of rules around automated decision-making (s.2.1.5); and oversight of the DPF (s.2.2).
3. The Commission should include in the Draft Decision clarification on the scope of the exemptions, including on the applicable safeguards under US law, in order to better identify the impact of these exemptions on the level of protection for data subjects.
4. The Draft Adequacy Decision recognises seven redress avenues which are provided to EU data subjects if their personal data are processed in violation of the DPF. These are the same as those included in the former Privacy Shield. The EDPB will closely monitor their effectiveness (s. 2.3).
5. The system of law enforcement investigative measures in the United States could be considered as generally meeting the requirements of necessity and proportionality in relation to the fundamental rights to private life and data protection (para 89); and that, with regard to access by law enforcement authorities to data held by companies in the United States, a fairly robust independent oversight mechanism is in place (para 92).
6. The DPF adequacy decision should be conditional on the adoption of, as well as the entry into force of, the updated policies and procedures to implement the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO) by all US intelligence agencies. The EDPB recommends that the Commission assess these updated policies and procedures and share this assessment with the EDPB (s. 3.2.1).

In the final paragraph of the executive summary, the EDPB concludes:

“Overall, the EDPB positively notes the substantial improvements the EO offers compared to the previous legal framework, particularly the principles of necessity and proportionality and the individual redress mechanisms for EU data subjects. Given the concerns expressed and the clarifications required, the EDPB suggests these concerns should be addressed and that the Commission provides the requested clarifications in order to solidify the grounds for the Draft Decision and to ensure a close monitoring of the concrete implementation of this new legal framework, in particular the safeguards it provides, in the future joint reviews.”

The next step in the process is for the European Commission to make any updates it deems necessary to the draft DPF decision, prior to adoption. The Council of the European Union may then adopt the decision, either jointly with the European Parliament or alone after consultation with Parliament. However, given that the LIBE Resolution recommends that the European Commission should reject the draft DPF and Opinion 5/2023 is ambivalent, it is by no means certain that the DPF will be adopted in its present form. The practical implication is that businesses that transfer personal data from European countries to the US should continue to rely on other data transfer solutions for the foreseeable future. 

© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.