News about the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework

 

The transatlantic exchanges of personal data between the EU and the US have been particularly encumbered, following the invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union in 2020. On 28 February 2023, the European Data Protection Board issued Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework (the “Opinion”). The Opinion aims to provide feedback to whether the US Executive Order 14086, signed on 7 October 2022, sets a framework for the lawful transfer of data between the EU and the US that sufficiently addresses the issues that led to the Privacy Shield invalidation.

The Opinion welcomes and acknowledges certain substantial improvements, such as the introduction of requirements on the principles of necessity and proportionality in the collection of data by US intelligence services, as well as the establishment of a new legal protection mechanism for EU data subjects. At the same time, it expresses concerns related to, for example, the broad exception to the right of access to publicly available information and the lack of specific rules on the automated collection of solutions and profiling.

The main criticism outlined in the Opinion is related to the broad conferral of powers to US intelligence agencies in respect of data collection without establishing an effective judicial oversight on the targeting of non-US persons, or another appropriate redress mechanism.

It remains to be seen how the European Commission will react and approach the feedback of the European Data Protection Board, which, albeit not a legally binding instrument, is of a very authoritative nature. It is expected that the new EU-US Data Protection Framework comes into effect at some point in 2023. Nevertheless, the US-companies’ certification remains an ambiguous question. Therefore, US companies should continue focusing their attention on other international data transfer tools, available under the GDPR, such as standard contractual clauses (the “SCC”). Please note that the companies using SCC should have incorporated in their contracts, by 27 December 2022, the latest version of standard contractual clauses, published by the European Commission in June 2021, pursuant to Article 46 of the GDPR.