On February 28, 2023, the European Data Protection Board ("EDPB") issued its opinion on the draft adequacy decision of the European Commission (the "Commission") on the new EU-US Data Privacy Framework ("DPF"). The EDPB expressed reservations in connection with the DPF, which will now undergo scrutiny by other European institutions.

Who Should Read This Legal Update

This Legal Update is relevant for companies whose business may involve the transfer of personal data between the EU and the US. If the US is approved as a country with data adequacy on the basis of the DPF, data transfers from the EU by businesses that are certified to the DPF will no longer require separate data transfer mechanisms to provide additional safeguards such as Binding Corporate Rules or Standard Contractual Clauses.

Background

On December 13, 2022, the European Commission published its draft adequacy decision for EU-US data transfers, following the EU-US announcement of an agreement on the DPF in March 2022 and the US Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the "Executive Order"), which was signed by President Biden in October 2022.

If the draft adequacy decision is adopted, the DPF will be the successor to the EU-US Privacy Shield, which was based on an adequacy decision of the European Commission under the General Data Protection Regulation ("GDPR") and subsequently declared invalid by the Court of Justice of the European Union ("CJEU") in its July 2020 Schrems II decision. The DPF is expected to tackle the concerns of the CJEU with respect to transfers of EU personal data to the US.

What's New

The EDPB's opinion is the first step in the process of adopting the draft decision. The EDPB stated that its analysis would focus on assessing the extent the DPF addresses the concerns of the CJEU that served as the basis for the Schrems II decision.

Key takeaways of the EDPB's opinion include:

  • Acknowledgment of improvements: The EDPB acknowledged several improvements in the DPF over the Privacy Shield, such as the availability of redress mechanisms that more thoroughly address possible violations of data subjects' rights. It also recognized improvements regarding restrictions on the access and use of EU personal data for criminal law enforcement purposes in the US;
  • Concerns regarding key data privacy aspects: The EDPB identified its concerns related to exemptions to data subjects' right of access, an absence of clear definitions, lack of rules on automated decision making and profiling, and lack of clarity on onward transfers;
  • Concerns in relation to the use and access of EU personal data by US public authorities (in particular for national security purposes): The EDPB noted the lack of a requirement of prior authorization for the collection of data in bulk and recommended that the adoption and entry into force of the adequacy decision be made conditional upon adoption of updated policies and procedures to implement the commitments of the Executive Order by all US intelligence agencies.

The EDPB recommended that the European Commission address the above-mentioned concerns to further solidify the grounds for the draft adequacy decision.

Next Steps

The European Commission must now seek the approval from a committee composed of representatives of the EU member states. The European Parliament (the "Parliament") has also signaled its intent to exercise its right of scrutiny over the draft adequacy decision. On February 14, 2023, the Parliament proposed a draft opinion concluding that the DPF fails to provide an adequate level of protection and inviting the Commission to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence.

Given the intense scrutiny faced by the draft adequacy decision, businesses should be ready to continue relying on the other data transfer mechanisms available under the GDPR (such as Binding Corporate Rules and Standard Contractual Clauses) in the short- to mid-term. For information on the available data transfer mechanisms pending adoption of the DPF, please refer to our Legal Update from December 2022.

Originally Published by 9 March 2023

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.