Preiskel & CoPreiskel & Co
Preiskel & Co
A boutique law firm in London
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • Xavier Prida
    • Martina Raciti
    • Ewelina James
    • Rachael Machado
    • Maria Constantin
    • Peter Dally
    • Richard Stewart
    • Joanna Coombs-Huang
    • Paul Stelges
    • Hannah Leader
    • Alison MacFarlane
    • Ilanit Appelfeld
    • Daniel Oakland
    • Sophia Yakhno
    • Sue Warwick
    • D A T Green
    • Antony Corel
    • Stewart White
    • Mor Swiel
    • Stephen Hornsby
    • Tony Curzon-Price
    • Robert Harvey
    • Shardi Shameli
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

EDPB’s Feedback on the New EU-U.S. Data Privacy Framework

March 6, 2023By Preiskel & Co

Background

As previously reported, on 13 December 2022, the European Commission published its draft adequacy decision for the EU-U.S. Data Privacy Framework (the “Framework”). The Framework only applies is only applicable to U.S. organisations which have self-certified.

Two months later, on 28 February 2023, the European Data Protection Board (“EDPB”) adopted its opinion on the draft decision (the “Opinion”), which considers both the commercial aspects and the processing of European personal data by the U.S. public authorities. The Opinion has praised several aspects of the Framework for offering effective data privacy mechanisms, but also highlighted some outstanding concerns.

EDPB Chair Andrea Jelinek stated: “A high level of data protection is essential to safeguard the rights and freedoms of EU individuals. While we acknowledge that the improvements brought to the U.S. legal framework are significant, we recommend to address the concerns expressed and to provide clarifications requested to ensure the adequacy decision will endure. For the same reason, we think that after the first review of the adequacy decision, subsequent reviews should take place at least every three years and we are committed to contributing to them.”

The Positives

As for the positive elements of the Framework, the EDPB accepted and praised the substantial improvements, brought by President Biden Executive Order (“EO”) 14086, regarding U.S government access to EU personal data transferred to the U.S. This means that US intelligence agencies can only access European data to the extent that is necessary and proportionate to protect US national security. The Framework also ensures that, in the instance that US intelligence agencies do go beyond access that is necessary and proportionate, EU individuals can obtain redress, which includes access to a Data Protection Review Court who can adopt binding remedial measures. This was hailed in the Opinion as a positive element which introduces effective powers and additional safeguards to protect data subjects against violations.

However, the EDPB is concerned, amongst other things, about the lack of a prior authorisation for back data collection, and systematic independent ex post monitoring, by an independent authority or a court under the EO.

Whilst the proposed Framework seeks to address certain vulnerable aspects of current Trans-Atlantic data privacy, there are a range of elements that the EDPB has requested further clarification on.

This includes areas such as:

  • Expansion of the Principles which are substantially unchanged to the previous Privacy Shield

The EDPB comments that the principles which are set out in the Framework are substantially unchanged when compared against the previous Privacy Shield, despite a number of changes and additional explanations that were provided in the recitals of the Framework. As such, some concerns remain, for example, relating to: (i) some exemptions to the right of access; (ii) the lack of key definitions and clarity about the application of the Framework Principles to processors; (iii) the broad exemption to the right of access for publicly available information; and (iv) the lack of specific rules on automated decision-making and profiling.

  • Onward transfers

The EDPB expresses that organisations who are subject to the Framework rules should ensure, prior to the onward transfer of a subject’s data, that such onward transfer does not undermine the continuity of the protection of the data subject, i.e., the organisation has a responsibility to assess conflicting third-party national legislation requirements that may contradict that of the Framework.

  • The scope of exemptions

The EDPB recommends that the Commission provides clarification on the “scope of the exemptions” that have been set out in the Framework, excluding applicability in instances where it is necessary to meet US conflicting obligations and overriding legitimate interests. The EDPB also recommends that, in light of these exemptions, the Commission should be informed of any further US statute or regulation that would affect adherence to the Framework.

  • Temporary bulk collection of data

The EDPB notes that the safeguards of bulk collection do not presently apply to temporary bulk collection. The EDPB therefore requests clarity here to determine, with certainty, which safeguards are intended to apply to which stage.

  • Practical functioning of the redress mechanism

The EDPB indicates that, whilst the redress mechanism has potential to serve as an effective process, the practical elements are potentially overtly optimistic and ambitious, and thus should be supplemented with more clarified detail and heavy monitoring carried out by the Commission. The EDPB further stresses the importance of ensuring that the redress avenues are effective for EU data subjects whose data has been processed in violation of the Framework.

Next Steps

The future fate of the Framework shall now pass to the Commission, who may implement the necessary changes and proposed amendments as submitted by the EDPB before adoption. As there are evidently underlying concerns and room for improvement, the Framework is likely to also be met by legal challenges from EU privacy advocates.  It is nevertheless clear that the Framework has the potential to strengthen Trans-Atlantic cooperation, as a fundamental necessity in an increasingly digitalised and data driven economy.

In the meantime, transfers of EEA personal data to the U.S remain problematic and need to be assessed carefully and on a case-by-case basis.

 

Find the non-binding EDPB Opinion here.

Please contact Jose Saras and Xavier Prida if you have any questions regarding the above.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.

Latest Preiskel & Co blog posts
  • Navigating Health Data Compliance: A Roadmap for Employers
    September 21, 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK
    September 15, 2023
  • Practical Guide – Net Neutrality in the UK
    September 14, 2023
  • Virgin succeeded in defending a claim by EE for loss of EE’s profits caused by Virgin’s breach of the MVNO Exclusivity Clause
    September 12, 2023
  • Getting out of a (data) scrape: global statement published for the protection of publicly accessible personal data online
    September 8, 2023
  • The dark side of design: the ICO and CMA call for businesses to rethink their website layouts
    August 18, 2023
  • Could the Supreme Court’s ruling on litigation funding agreements cause havoc for litigation funders?
    August 17, 2023
  • US Threats of a ‘Te(ch)xodus’ from the UK?
    August 17, 2023
  • Smoother Sailing for EU-US Data Transfers after GDPR Adequacy Decision
    August 4, 2023
  • Unlocking Data Flows: EU-US Data Privacy Framework Receives Adequacy Decision
    July 13, 2023
  • UK’s World Leading Approach on Artificial Intelligence – White Paper outlines 5 guideline principles for responsible use of AI
    July 5, 2023
  • Europe paving the way for AI regulation: the draft AI Act is making progress
    July 5, 2023

The Preiskel Blog

  • Navigating Health Data Compliance: A Roadmap for Employers 21 Sep 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK 15 Sep 2023
  • Practical Guide – Net Neutrality in the UK 14 Sep 2023
  • Virgin succeeded in defending a claim by EE for loss of EE’s profits caused by Virgin’s breach of the MVNO Exclusivity Clause 12 Sep 2023

Preiskel news

  • Practical Guide – Net Neutrality in the UK
  • Danny Preiskel featured in GCCM Magazine (June/July 2023 issue 55)  
  • Danny Preiskel moderating a panel at the MEF Connects – The Future of Fraud Prevention event (5th September 2023, hybrid)
  • Preiskel & Co advised TMT Analysis on the acquisition of Phronesis Technologies
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy