First evaluation of Data Privacy Framework: EDPB predominantly positive
The Dutch DPA and the other data protection authorities in Europe, united in the European Data Protection Board (EDPB), have finalised the first evaluation of the EU-US Data Privacy Framework (DPF) for transfers of personal data to the United States (US). The EDPB is predominantly positive, but also has some points for improvement.
Together with the European Commission (EC), the EDPB has evaluated the DPF for the first time. The EC published an evaluation report of its own in October.
EU-US Data Privacy Framework
The DPF entered into effect on 10 July 2023. The DPF arranges the protection of personal data that are part of data flows between the European Union (EU) and the US. And should eliminate the shortcomings that were found by the European Court in the predecessor of the DPF, the Privacy Shield.
Personal data transfers for commercial purposes from the EU to the US are only possible for companies that have certified themselves under the DPF. During this first evaluation, the EDPB looked at the application and enforcement of the requirements that apply for these companies. And at safeguards that ensure that the American intelligence services do not have access to these data without a good reason.
What does the EDPB think?
- The EDPB finds that the US Department of Commerce has taken the necessary steps to implement the certification process.
- The EDPB is also positive about the complaint mechanism for EU citizens. Both in the US and the EU, guidelines have been published for dealing with complaints by citizens about the DPF. However, the low number of complaints received so far stresses the importance of supervision by the American authorities of compliance with the DPF principles by DPF-certified companies.
- The EDPB encourages the development by the American authorities of guidelines that clarify the requirements that DPF-certified companies have to meet when transferring personal data received from EU exporters. Guidelines by the American authorities about personnel data, the definition of which is not quite the same in the US and the EU, would also be welcomed.
- The EDPB was unable to assess adequately if the American intelligence services comply properly with the restrictions imposed by the DPF on access to personal data of Europeans. This is because at the time of evaluation, insufficient experience had been gained on this point.
- The EDPB recommends that the EC will keep an eye on future developments of the US Foreign Intelligence Surveillance Act (FISA). Especially since the scope of Section 702 was expanded earlier this year. Section 702 is about access to data of persons who are not US citizens and may also be outside the US.
- A new complaint mechanism has also been set up for American intelligence services. The EDPB feels that this is an improvement, compared to the former Privacy Shield. The EDPB repeats its call to the EC to keep monitoring the practical implementation, though, as no complaints had yet been received at the time of the evaluation.
- Given these points for attention, the EDPB recommends that the next evaluation will be carried out sooner than in four years, as set out in the adequacy decision.
