The European Data Protection Supervisor (EDPB) published its first report on the EU-US Data Privacy Framework (DPF) on Nov. 20, 2024. This report assesses how data exchanges between the EU and the US are evolving under this framework. The EDPB welcomes the progress that has been made, but also expresses concerns about the protection of personal data in commercial data transfers and the U.S. government's still extensive mass surveillance powers.
According to the General Data Protection Regulation (AVG), the EDPB has an advisory and supervisory role in international data protection, including reviewing adequacy decisions such as the DPF. The EDPB chairman said, "We are pleased that progress has been made since the adoption of the adequacy decision thanks to the fruitful cooperation between the U.S. authorities, the EU Commission and the EDPB. At the same time, there is still room for improvement and we must continue to work together to maintain a high level of data protection and protect the rights and freedoms of EU individuals."
The EDPB is concerned about the lack of clarity in the DPF rules, particularly around automated decision-making and profiling. Also, exceptions to data subjects' rights, such as for "public information," are too broad. Moreover, when further transfers are made to third countries outside the U.S., compliance with DPF rules is not always guaranteed. They also question whether effective enforcement can be achieved in practice. The EDPB acknowledges improvements in U.S. laws, such as restrictions on surveillance, but is concerned about continued mass surveillance without independent oversight. The EDPB also doubts the effectiveness of the regulation in practice, for example with respect to the operation of the Data Protection Review Court and the transparency of FISA court oversight. Interest groups such as NOYB (None of Your Business), led by privacy activist Max Schrems, also remain critical. They argue that the US has not implemented sufficient structural reforms to truly protect EU data from mass surveillance.
The DPF replaces the Privacy Shield, which was invalidated in 2020 by the European Court of Justice in the Schrems II ruling. The reason was that U.S. surveillance programs did not comply with strict European privacy rules. The new DPF, based on improvements such as Executive Order 14086, seeks to close this gap by ensuring that data collection is "necessary and proportionate." It includes stricter data processing rules and introduces new oversight bodies, such as the Data Protection Review Court (DPRC).
While the EDPB calls for improvements and regular reviews, striking a balance between secure data transfers and compliance with EU privacy rules remains a challenge. The framework is expected to be challenged again in the coming years. There is a real chance that new lawsuits will be filed against the EU-US Data Privacy Framework (DPF) in European courts. For example, previous adequacy decisions such as the Privacy Shield and Safe Harbor agreements were also invalidated by the European Court following legal challenges, such as the well-known Schrems cases.
