Skip to content

EDPB publishes opinion on the draft adequacy decision for the EU-US Data Privacy Framework

The European Data Protection Board (EDPB) issued its opinion on the draft adequacy decision of the European Commission (Draft Decision) regarding the EU-US Data Privacy Framework (DPF) on 28 February 2023. The DPF is a proposed mechanism to enable the lawful transfer of personal data from the EU to the US, following the invalidation of the EU-U.S. Privacy Shield by the CJEU in the Schrems II case in July 2020. You can read about the DPF and the Draft Decision in our blog here.

The opinion examines the draft adequacy decision and the DPF in light of the Schrems II decision and the European Essential Guarantees, stressing the need for a comprehensive approach to assess the entire data processing cycle. It recognises the “substantial improvements” that the DPF offers over the previous framework, especially in light of the U.S. Presidential Executive Order 14086 (EO 14086), which was adopted after negotiations between the European Commission and the U.S. Government to address the issues raised by the Schrems II. The EO 14086 provides the safeguards for U.S. signals intelligence activities and introduces the principles of necessity and proportionality and the individual redress mechanism for EU data subjects.

However, the EDPB identified concerns and requested further information and clarifications from the European Commission in its opinion. It urges the European Commission to address these concerns before finalising its adequacy decision for the DPF and to closely monitor the DPF's implementation and compliance in future reviews. The EDPB also appreciates that the adequacy decision will only take effect once all U.S. intelligence offices have adopted updated policies and procedures to apply the enhanced safeguards under EO 14086.

The EDPB made some other key recommendations, including: 

  • urging the European Commission to clarify in the Draft Decision the scope of exemptions where the DPF does not apply (e.g. to comply with a court order or meet public interest) and the safeguards under US law for these exemptions, to better assess their impact on individuals' protection;
  • expressing concern that some major issues raised previously about the invalidated EU-US Privacy Shield still apply (for example, regarding the rights of data subjects to access data and object to processing, the lack of key definitions, the wide exemption for publicly available information and the unclear application of the DPF Principles to processors);
  • recommending that, for onward transfers under the DPF, the initial US recipient must ensure that the importer in the third country provides effective safeguards in light of third country legislation, before transferring the data; 
  • advising that specific rules for individuals' rights on automated decision-making, profiling and AI technologies should be included, to offer sufficient safeguards (such as the right to know the logic involved, to challenge the decision and to obtain human intervention in some cases);
  • stressing the need for effective oversight and enforcement of the DPF, including checks of compliance with its substantive requirements; 
  • acknowledging significant improvements under the EO 14086 regarding the powers and independence of the Data Protection Review Court (DPRC) compared to the Ombudsperson under Privacy Shield, but asking for additional clarifications on the "temporary bulk collection" of EU data and the further retention and dissemination of the data collected in bulk in the US legal framework; 
  • urging the European Commission to closely monitor how the redress mechanism works in practice and expressing concern about the DPRC's standard response, which cannot be appealed, and which only notifies the complainant that either no covered violations were found or that a remediation order was issued. The EDPB recognises that this standard response serves the generally legitimate purpose of protecting sensitive information about U.S. intelligence activities, but is concerned that no exemptions to the standard response are provided. 

The EDPB also criticised the DPF for being too complex for individuals, organisations relying on it and data protection authorities to understand and apply it. It noted that some key definitions were missing or used inconsistently in the DPF.

Next steps

Although not binding, the EDPB’s opinion is highly influential and is likely to be followed by the European Commission. The draft adequacy decision of the European Commission needs a positive opinion of the committee of EU Member States representatives. The European Parliament is also examining the Draft Decision and its Committee on Civil Liberties, Justice and Home Affairs prepared a non-binding draft resolution last month, available here. The draft resolution, which is subject to discussion in the European Parliament in early March, stated that the DPF “fails to create actual equivalence” with the EU on data protection.

You can read the EDPB opinion here.

Related expertise