The EU-US Data Privacy Framework (the “DPF”) came into force on 10 July 2023. Pursuant to the DPF, U.S. companies can self-certify for unrestricted transfers of personal data from the EU and, thus, eliminate the need for additional authorizations.

On 4 November 2024, the European Data Protection Board (“EDPB”) published a Report on the first review of the European Commission (the “EC”) Implementing Decision on the adequate protection of personal data under the DPF.

In the Report, the EDPB acknowledges the progress made by U.S. authorities and the EC in the implementation of the DPF. The EDPB also highlights certain areas and aspects that require further attention, clarification, and improvement, including the following:

• Concerning the DPF commercial aspects, the EPDB finds it necessary for the U.S. Department of Commerce (the “DoC”) to set up oversight and enforcement of certified companies’ adherence to the DPF principles, and strongly recommends an increase in the DoC ex officio enforcement actions, underlying the necessity for the EC to carefully monitor this aspect in the future;
• The DoC should strive to provide practical guidance regarding the implementation of the ‘accountability for onward transfer’ principle and the notion of ‘HR data’ under the DPF;
• With regard to government access to data, the EDPB highlights the need of more transparency in respect of how U.S. government agencies apply the principles of necessity and proportionality in data collection under Executive Order 14086. The EDPB urges continuous monitoring of this critical issue in future reviews; and
• The EDPB emphasizes that an adequate level of protection must be ensured with regard to the governmental acquisition of personal data by U.S. government intelligence agencies from data brokers and other commercial entities that remains uncaptured by Executive Order 14086.

The EDPB supports the suggestion of the EC to conduct the next review of the DPF in three years and believes that this would enable a timely and thorough assessment of the DPF practical implementation.

DGKV Data Protection Team continues to monitor the DPF review and implementation closely and update clients and followers about developments suitably.