On 10 July 2023, the European Commission ("EC”) adopted its adequacy decision for the EU-U.S. Data Privacy Framework. Article 3 of the adequacy decision requires the EC to regularly review this decision, after one year from the date of the notification of the adequacy decision to the Member States. In line with the adequacy decision, five representatives of the European Data Protection Board (“EDPB”) participated in the review meeting on 18 and 19 July of 2024.
During its latest plenary, the EDPB adopted a report on the first review of EU-U.S. Data Privacy Framework. The EDPB focused on the assessment of both the commercial aspects of the EU-U.S. Data Privacy Framework and on the access by U.S. public authorities to personal data transferred from the EU to Data Privacy Framework -certified organisations.
Conclusión of the report
The EDPB welcomes the efforts by the U.S. authorities and the EC to implement the Data Privacy Framework, and takes note of several developments that took place since the adoption of the adequacy decision in July 2023.
Assessment
The EDPB focuses on the evaluation of both:
(i) the commercial aspects of the EU-U.S. Data Privacy Framework:
a. The EDPB notes that the U.S. Department of Commerce took all relevant steps to implement the certification process for U.S. companies. This includes developing a new website, updating procedures, engaging with companies, and conducting awareness-raising activities.
b. The redress mechanism for EU individuals has been implemented and there is comprehensive complaint-handling guidance published on both sides of the Atlantic. However, the low number of complaints received so far under the Data Privacy Framework highlights the importance of having U.S. authorities initiate monitoring activities concerning compliance of Data Privacy Framework-certified companies with the substantive Data Privacy Framework Principles.
c. The EDPB encourages the development of guidance by U.S. authorities, clarifying the requirements that Data Privacy Framework -certified companies would need to comply with when they transfer personal data that they have received from EU exporters.
(ii) the access by U.S. public authorities to personal data transferred from the EU to Data Privacy Framework certified organisations:
The EDPB focused on the effective implementation of the safeguards introduced by the Executive Order 14086 in the U.S. legal framework, such as the necessity and proportionality principles and the new redress mechanism.