EDSA examines EU-US Data Privacy Framework: This still needs to be improved

EDSA examines EU-US Data Privacy Framework
Categories:

Transatlantic data exchange is of fundamental importance for trade and business, but has been the focus of legal and data protection discussions for years. The introduction of the EU-US Data Privacy Framework (DPF) in 2023 is intended to create a new basis for secure data transfer. The European Data Protection Board (EDPB) has now dealt with the implementation of the adequacy decision for the USA and has drawn an initial interim conclusion.

This progress has been made in the implementation of the DPF

Following the ruling of the European Court of Justice (ECJ) in the "Schrems II" case, significant shortcomings were identified in the previous data protection agreement, the Privacy Shield. The DPF was developed to address the criticism of the ECJ and to harmonize data protection standards between the EU and the USA.

The first review of the DPF by the EDSA shows progress in the following points in particular:

  • Self-certification of companies: The US Department of Commerce has taken all relevant steps to implement the certification process. This includes developing a new website, updating procedures, working with companies and conducting awareness-raising activities. To date, over 2,800 organizations have been certified.
  • Enforcement: The DPF provides for a multi-stage complaints procedure including an independent arbitration process. Comprehensive guidelines for dealing with complaints have been published on both sides of the Atlantic.

Concerns about government access to data

According to the EDSA, however, the US authorities' monitoring of compliance with the DPF principles is still inadequate. The low number of complaints received to date under the DPF shows how important it is for the US authorities to initiate monitoring measures to check whether DPF-certified companies are complying with the key DPF principles. The EDSA is therefore calling for increased controls.

A central concern of the review relates to government access to data by US authorities, in particular by intelligence agencies. The principles of necessity and proportionality enshrined in the DPF are crucial here. Executive Order 14086 was seen as progress, but concerns remain:

  • The US continues to allow mass surveillance measures without prior independent authorization, which contradicts the requirements of the European Court of Justice.
  • Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) regulates the surveillance of non-U.S. citizens outside U.S. territory, e.g. by the NSA. Here, the scope of surveillance measures has been significantly expanded, which raises questions of transparency and predictability.


The EDPB emphasizes that these issues should be given priority in future reviews.

Reading tip: EU Commission adopts new adequacy decision for secure data transfers between EU and US

Law enforcement and legal remedies

The newly introduced Data Protection Review Court (DPRC) offers EU citizens improved opportunities to enforce their rights. Nevertheless, there are challenges:

  • Lack of transparency: DPRC decisions cannot be appealed, which limits accountability.
  • No practical test: Not a single complaint had been submitted by the time of the review in July 2024, so the actual functioning of the mechanisms could not be tested.


Following the audit, the EDPB made specific recommendations, including

  1. Strengthening proactive enforcement: US authorities such as the Department of Commerce and the Federal Trade Commission should increase their monitoring activities.
  2. Clarification of legal definitions: Unclear terms such as "electronic communications service provider" in Section 702 FISA need to be clarified to ensure legal certainty.
  3. Stronger control of data access: In particular, the use of commercially available data by intelligence services should be more strictly regulated and controlled.


The next review of the DPF should take place within three years to address these outstanding issues and ensure further progress.

Conclusion: The EU-US Data Privacy Framework marks an important step towards secure transatlantic data exchange, but still faces considerable challenges. It remains to be seen whether the US will also address the concerns of the EDPB under the new administration in order to guarantee a level of protection comparable to EU data protection standards in the long term.

Source: Report of the European Data Protection Board on the adequacy of the protection of personal data under the EU-US Data Privacy Framework 

Tags:
Share this post :
en_USEnglish