DATA PROTECTION
DPB issues opinion on draft implementing decision on adequate protection under EU-US Data Protection Framework.
The European Data Protection Board ('EDPB') published, on 28 February 2023, Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the European Union-US Data Privacy Framework ('EU-US DPF').
In particular, the opinion examines general data protection aspects, access and use of personal data transferred from the EU by public authorities in the US, and the implementation and monitoring of the Draft Decision.
More specifically, the opinion highlights that some issues of concern previously raised by the Article 29 Working Party and the EDPB in relation to the Privacy Shield principles remain valid, specifically, in relation to data subject rights, the absence of key definitions, the lack of clarity in relation to the application of the DPF principles to processors, and the broad exemption for publicly available information. Likewise, the opinion recommends that the Commission include in the Draft Decision, clarification on the scope of exemptions applicable to the DPF Principles, including applicable safeguards under US law in order to better identify the impact of these exemptions on the level of protection for data subjects.
In regard to automated decision-making, the opinion details that specific rules concerning automated decision-making are needed in order to provide sufficient safeguards. Moreover, the opinion suggests that information about the US legal context, in which EU-US DPF organisations will operate in would be useful and provide a better understanding of the interaction of the DPF with US law. In addition, the opinion outlines that the EDPB considers the new redress mechanism under the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ('the Executive Order') an improvement on the past mechanism under the Privacy Shield but notes that the EDPB still sees a need for clarification on issues including 'temporary bulk collection'. More specifically, the opinion details that the reports of the Civil Liberties Oversight Board may be useful in assessing how safeguards under the Executive Order may be implemented.
On the redress mechanism, the opinion highlights that the EDPB recognises significant improvements relating to the powers of the Data Protection Review Court ('DPRC') and its enhanced independence compared to the Ombudsperson. However, the opinion expresses concerns regarding the general application of the standard response of the DPRC. Accordingly, the opinion suggests that the Commission closely monitor the practical functions of the redress mechanism. Furthermore, the opinion provides that the EDPB expects the Commission to follow on their commitment to suspend, repeal, or amend the adequacy decision on grounds of urgency, taking into consideration the safeguards under the Executive Order. Finally, the opinion explains that the EDPB notes the substantial improvements the Executive Order offers compared to the previous legal framework, in particular as regards the introduction of the principles of necessity and proportionality and the individual redress mechanism for EU data subjects.
In particular, the opinion examines general data protection aspects, access and use of personal data transferred from the EU by public authorities in the US, and the implementation and monitoring of the Draft Decision.
More specifically, the opinion highlights that some issues of concern previously raised by the Article 29 Working Party and the EDPB in relation to the Privacy Shield principles remain valid, specifically, in relation to data subject rights, the absence of key definitions, the lack of clarity in relation to the application of the DPF principles to processors, and the broad exemption for publicly available information. Likewise, the opinion recommends that the Commission include in the Draft Decision, clarification on the scope of exemptions applicable to the DPF Principles, including applicable safeguards under US law in order to better identify the impact of these exemptions on the level of protection for data subjects.
In regard to automated decision-making, the opinion details that specific rules concerning automated decision-making are needed in order to provide sufficient safeguards. Moreover, the opinion suggests that information about the US legal context, in which EU-US DPF organisations will operate in would be useful and provide a better understanding of the interaction of the DPF with US law. In addition, the opinion outlines that the EDPB considers the new redress mechanism under the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ('the Executive Order') an improvement on the past mechanism under the Privacy Shield but notes that the EDPB still sees a need for clarification on issues including 'temporary bulk collection'. More specifically, the opinion details that the reports of the Civil Liberties Oversight Board may be useful in assessing how safeguards under the Executive Order may be implemented.
On the redress mechanism, the opinion highlights that the EDPB recognises significant improvements relating to the powers of the Data Protection Review Court ('DPRC') and its enhanced independence compared to the Ombudsperson. However, the opinion expresses concerns regarding the general application of the standard response of the DPRC. Accordingly, the opinion suggests that the Commission closely monitor the practical functions of the redress mechanism. Furthermore, the opinion provides that the EDPB expects the Commission to follow on their commitment to suspend, repeal, or amend the adequacy decision on grounds of urgency, taking into consideration the safeguards under the Executive Order. Finally, the opinion explains that the EDPB notes the substantial improvements the Executive Order offers compared to the previous legal framework, in particular as regards the introduction of the principles of necessity and proportionality and the individual redress mechanism for EU data subjects.
