The AP and the other privacy regulators in Europe, united in the European Data Protection Board (EDPB), have completed the first review of the EU-US Data Privacy Framework (DPF) for transfers of personal data to the United States (US). The EDPB is mostly positive, but also has some areas for improvement.
The EDPB evaluated the DPF for the first time, along with the European Commission (EC). The EC published its own evaluation report in October.
The DPF entered into force on July 10, 2023. The DPF regulates the protection of personal data in data flows between the European Union (EU) and the US. And should eliminate the shortcomings found by the European Court in the DPF's predecessor, the Privacy Shield.
Transfer of personal data for commercial purposes from the EU to the US is only possible for companies that have certified themselves under the DPF. In this first review, the EDPB looked at the application and enforcement of the requirements that apply to these companies. And at safeguards that ensure that U.S. intelligence agencies cannot simply access this data.
The EDPB notes that the U.S. Department of Commerce has taken the necessary steps to implement the certification process.
The EDPB is also positive about the complaint mechanism for EU citizens. For this purpose, both the US and the EU have published guidelines for handling citizen complaints about the DPF. However, the low number of complaints received so far underscores the importance of US authorities monitoring DPF compliance by DPF-certified companies.
The EDPB encourages U.S. authorities to develop guidelines clarifying the requirements that DPF-certified companies must meet when transferring personal data received from EU exporters. Guidance from U.S. authorities on personnel data, the definition of which is not quite the same in the U.S. and in the EU, would also be welcome.
The EDPB could not properly assess whether U.S. intelligence agencies were properly complying with the DPF's restrictions on access to Europeans' personal data. This is because there was too little experience with this at the time of the review.
The EDPB recommends that the EC monitor future developments of the U.S. Foreign Intelligence Surveillance Act (FISA). Especially since the scope of Section 702 was expanded earlier this year. Section 702 deals with access to data of persons who are not US citizens and who may also be located outside the US.
There is also a new complaint mechanism for U.S. intelligence agencies. The EDPB considers this an improvement over the former Privacy Shield. However, the EDPB does reiterate its call for the EC to continue monitoring the practical effect, now that no complaints had been received by the time of the review.
Given these concerns, the EDPB recommends that the next review be conducted earlier than in 4 years, as included in the adequacy decision.
