This article will look at three areas where the EDPB sees problems with the European Commission’s draft decision: the principles, the redress mechanism, and US national security law.
The EDPB’s opinion is not binding, but its analysis is important. Many of the EDPB’s criticisms could be shared by the Court of Justice of the European Union (CJEU)—and any business planning to rely on the DPF should be prepared for it to fail.
EU-US DPF Principles
The DPF’s principles and supplementary principles (together, “the DPF principles”) are the requirements that certifying businesses must meet when processing personal data imported from the EU.
The DPF principles are essentially the same as the Privacy Shield principles. The principles have not been amended because they were not subject to criticism in Schrems II.
Nonetheless, the EDPB is quite critical of the DPF principles.
Because the DPF principles remain unchanged since Privacy Shield, the EDPB mostly defers to the Privacy Shield opinion adopted by the Article 29 Working Party (WP29).
The EDPB maintains its concerns around:
- Overly broad exceptions to the right of access.
- The “timing and modalities” for the right to object.
- A lack of clarity around how the principles apply to processors.
- The broad exemption for publicly available information.
- A lack of safeguards for onward transfers of personal data.
- A lack of rules around automated decision-making.
But as noted—the principles were not at issue in Schrems II, so this criticism is arguably academic.
The more important issues are redress and national security.
Data subjects have seven initial routes for redress under the EU-US DPF, including via an EU data protection authority (DPA), an independent dispute resolution body, or the US Federal Trade Commission (FTC).
But most important is the availability of “judicial redress” for people who may have been subject to surveillance by US intelligence services.
Under EU law, everyone has the right to an “effective legal remedy before a court or tribunal”. The lack of effective redress was a key reason the CJEU invalidated Privacy Shield in Schrems II.
For the EU-US DPF to succeed, the framework must offer a means of redress that improves upon the Privacy Shield Ombudsperson, which the CJEU said was “not a tribunal” by the standards of EU law.
The EU-US DPF’s redress mechanism has two layers:
- Lodging a complaint with the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (ODNI CLPO or CLPO).
- Appealing to the Data Protection Review Court (DPRC).
There is no further right to appeal following the DPRC’s decision.
Redress: The Good
On the positive side, the EDPB says that the new redress mechanism:
- Is “significantly improved” compared to the Privacy Shield Ombudsperson.
- Provides “more safeguards” for independence.
- Involves “more effective powers to remedy violations”.
- Can impose binding decisions on the intelligence services.
On independence, the EDPB notes that the DPRC does not report to the US Attorney General and is not subject to the Attorney General’s “day-to-day supervision” (but there’s a caveat here—see below). These factors are “a significant improvement over the Privacy Shield”.
Redress: The Bad
On the negative side, the EDPB is concerned about:
- The “standard response” that the DPRC will provide following an appeal (more on this below).
- The fact that DPRC decisions are not subject to appeal.
- The appointment and dismissal of DPRC “judges”.
The EDPB notes that the DPRC is still established within the US executive branch. This raises questions about whether the body is truly independent.
The EDPB is also concerned about the meaning of “day-to-day supervision”. Does this imply that DPRC “judges” will be subject to some other form of supervision by the Attorney General? This should be clarified.
Redress: The Ugly
Perhaps the biggest issue for the EDPB is around the “standard response” provided to data subjects who appeal to the DPRC.
The DPRC will not confirm or deny that a person has been subject to surveillance. Everyone gets a standard response: “The review either did not identify any covered violations or the Data Protection Review Court issued a determination requiring appropriate remediation”.
The EDPB agrees that there is a balance to be struck between the “generally legitimate purpose” of preserving state secrecy. However, the board is concerned about the lack of exceptions to this general rule.
The EDPB says that the DPRC decisions are “reasoned”. But the EDPB is clearly not impressed by the standard response to data subjects, coupled with the fact that DPRC decisions can’t be appealed.
As part of its opinion, the EDPB assess the US’s rules around the access and use of personal data for national security purposes.
The EDPB judges the US’s national security regime through the lens of the European Essential Guarantees: four principles that must be respected to ensure a sufficient standard of privacy and data protection.
Even taking new safeguards into account, the EDPB has reservations about whether the US meets these guarantees.
Clear, Precise, and Accessible Rules
Any interference with the fundamental rights to privacy and data protection must be based on clear, precise, and accessible rules.
The EDPB identifies that surveillance (or “signals intelligence”) activities by US authorities take place under a range of laws and orders that are accessible to the public.
However, the EDPB is concerned by a lack of clarity around the definitions and scope of some of these legal instruments.
EO 14086, the executive order issued in light of Schrems II that is designed to enhance safeguards for signals intelligence activities, is supposed to clarify when signals intelligence activities can take place.
The order includes a list of 12 objectives in pursuit of which intelligence agencies can access personal data. The EDPB notes that some of these objectives are “general” (read: “vague”), such as “global security”.
The EDPB also recommends that the Commission should not adopt its adequacy decision unless the US adapts EO 14086 into a set of policies and procedures for US intelligence agencies.
Necessity and Proportionality
Limits to the rights of privacy and data protection must be necessary and proportionate in pursuit of legitimate objectives.
The EDPB notes that EO 14086 supposedly imposes “proportionality” and “necessity” requirements on intelligence services.
But the board is quite critical of how EO 14086 treats “bulk collection”—the indiscriminate collection of personal data for intelligence purposes.
The EDPB approves of how the EO 14086 prioritises targeted surveillance over bulk collection. Also, the order provides limited grounds on which intelligence agencies can conduct bulk collection.
However, the EDPB takes issue with several aspects of how EO 14086 treats bulk collection, namely:
- Large volumes of data can still be collected.
- The president can add to the list of authorised grounds for bulk collection.
- Bulk collection does not require independent prior authorisation and is not subject to independent review.
- The rules around retaining personal data collected in bulk are unclear.
- There are no adequate restrictions on how intelligence agencies can disseminate or transfer data collected in bulk (or otherwise).
Does the EDPB Think the DPF Is Good or Bad?
The EDPB doesn’t give the DPF a mark out of ten. The opinion is quite balanced—but also rather critical.
The board clearly sees improvements over Privacy Shield. The opinion “welcomes” many aspects of the new framework and accepts others (such as the principles) more reluctantly.
However, there are some fundamental issues with the DPF that the EDPB cannot ignore, including the “standard response” offered to data subjects by the DPRC, the lack of oversight regarding bulk collection, and the imprecise definitions of certain important terms.
The EDPB’s opinion on the draft adequacy decision contains some recommendations for the Commission. However, the EDPB can’t veto the adoption of the adequacy decision.
Whether the adequacy decision succeeds or not, the EDPB’s analysis is a helpful reminder of the issues that might lead to the decision’s invalidation by the CJEU.
Businesses planning to rely on the DPF for transfers of personal data might consider having a backup plan in case the framework eventually fails.
We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!