EU – EDPB comments on the upcoming EU-US Trans-Atlantic Data Privacy Framework
Browse this blog post
Related news and insights
Blog Post: 25 May 2023
EU General Court annuls EDPS decision and examines when personal data can be considered anonymised
Publications: 25 May 2023
Happy birthday, GDPR – five lessons from five years of EU data protection law
Blog Post: 24 May 2023
Compensation claims under the GDPR unpicking the latest EU and English case law and looking ahead
Blog Post: 17 May 2023
European Parliament committees adopt their vision on the AI Act proposal
On 6 April 2022, following the announcement of the political agreement on a new EU-US Trans-Atlantic Data Privacy Framework having been reached between the European Commission and the United States on 25 March 2022, the European Data Protection Board (EDPB) adopted a statement to welcome this development as ‘a positive first step in the right direction’.
You can read about the new framework in our blog here.
Despite the positive tone of the statement and commitment to play a constructive role in developing of a new framework to the benefit of individuals and organisations in the EEA, the EDPB appears somewhat sceptical. The EDPB emphasises that it is only a political agreement at this stage. It does not represent a legal framework that would provide a basis for data transfers from the EEA to the US. This means that data exporters should continue taking measures necessary to comply with the decision of the Court of Justice of the European Union (CJEU) in Schrems II.
The statement further reiterates that the European Commission will need to seek an opinion of the EDPB, as required by the GDPR, before adopting a possible new adequacy decision recognising the level of data protection guaranteed in the US under the new framework as satisfactory. The EDPB will issue such an opinion once all supporting documents are made available by the European Commission. The EDPB notes that it will:
- analyse in detail how the announced steps to be taken by US authorities would ensure that only strictly necessary and proportionate collection of personal data for national security purposes takes place;
- examine whether the intended independent redress mechanism would respect the EEA individuals’ right to an effective remedy and to a fair trial;
- verify whether any new authority, proposed as part of the new redress mechanism, would have access to relevant information and whether its decisions would be binding on the intelligence services;
- analyse the judicial remedies against this authority’s decisions or inaction.
The statement on the new EU-US data transfer framework was adopted during the EDPB plenary session of 6 April 2022. Other issues considered by the plenary session include:
- recent legislative proposals in Belgium that raise concerns of the EDPB about the potential negative impact on the stability and independence of the Belgian supervisory authority. The EDPB adopted a letter summarising its concerns and pointing out potential areas of tension of new bills with the requirements of the GDPR. The letter is available here;
- a decision to request an observer status within the Spring Conference of European Data Protection Authorities, which offers a platform for engagement with authorities in Europe, including those in non-EEA countries. More information about the Spring Conference is available here.