The latest development in the long road to a replacement for the Privacy Shield, which was shot down by the Court of Justice of the European Union in its Schrems II decision (2020), is the European Data Protection Board’s opinion adopted February 28, 2023 (Opinion 5/2023). That opinion looks at whether the newly proposed EU-U.S. Data Privacy Framework (“DPF”) provides adequate protection for EU personal data transferred to the United States.
I discussed the DPF in an earlier blog post. In that post, I raised the key question of why the DPF should survive legal challenges where the Privacy Shield (and its predecessor, the Safe Harbor Framework) did not.
The EDPB’s opinion, which the European Commission (EC) solicited under GDPR Art. 70(1)(s), offers both hope and reason for concern on that front. On the hopeful side, the EDPB noted:
- The U.S. data protection framework doesn’t have to replicate European data protection law. It just has to provide an “essentially equivalent” level of protection. So the bar isn’t set impossibly high.
- The U.S. Government has forcefully expressed its commitments to prioritize the investigation of DPF violations and will provide a number of redress avenues to EU data subjects who assert that their personal data has been processed in violation of the DPF.
- U.S. Executive Order 14086 (EO 14086), which is aimed at enhancing safeguards with respect to U.S. government surveillance (thus remedying certain deficiencies noted in the Schrems II decision), is a “significant improvement.” In particular, EO 14086 creates specific rights for EU residents and (via the Data Protection Review Court) more effective powers to remedy violations.
However, the EDPB sounded several cautionary notes:
- The DPF’s coverage of AI technologies was singled out as a particular concern. The EDPB proposed that specific rules for automated decision-making (which encompasses AI) are needed, including “the right for the individual to know the logic involved, to challenge the decision and to obtain human intervention when the decision significantly affects him or her.” That may be a heavy lift when AI algorithms are essentially a black box.
- Citing the exemptions that the DPF provides for adherence to the DPF Principles (such as to the extent necessary to comply with a court order or for public interest purposes), the EDPB asked the EC to clarify the scope of the exemptions.
- The EDPB expressed concern about safeguards for onward transfers, and in particular whether those safeguards could be undermined if the legislation of any third country where an onward transferee may be located does not provide effective protection.
- While welcoming EO 14086, the EDPB proposed that the implementation of the DPF be conditioned upon the adoption by U.S. intelligence agencies of “updated policies and procedures” making the safeguards promised by EO 14086 a reality.
- The U.S. legal framework still allows collection of bulk data under Executive Order 12333, and that collection neither requires prior authorization by an independent authority nor provides for a systematic independent review ex post by a court or other independent body.
So what’s next? The EDPB proposes that the EC address the concerns expressed in its opinion and provide the requested clarifications “to solidify the grounds” for the DPF and ensure the close monitoring of its implementation. Far from being a green light for the DPF, the EDPB opinion requires that the EC sharpen its pencils and, working with U.S. authorities, bolster the protections that the DPF currently offers.