The European Data Protection Board (EDPB) adopted its opinion on the draft adequacy decision regarding the EU-U.S. Data Privacy Framework, stating the EDPB welcomes improvements, but still has concerns.

As discussed on Rob Robinson’s excellent ComplexDiscovery site (EDPB Welcomes Improvements under the EU-U.S. Data Privacy Framework, but Concerns Remain, available here), the announcement stated: “The EDPB welcomes substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for U.S. intelligence gathering of data and the new redress mechanism for EU data subjects. At the same time, it expresses concerns and requests clarifications on several points. These relate, in particular, to certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism.”

EDPB Chair Andrea Jelinek said: “A high level of data protection is essential to safeguard the rights and freedoms of EU individuals. While we acknowledge that the improvements brought to the U.S. legal framework are significant, we recommend to address the concerns expressed and to provide clarifications requested to ensure the adequacy decision will endure. For the same reason, we think that after the first review of the adequacy decision, subsequent reviews should take place at least every three years and we are committed to contributing to them.”

The Draft Adequacy Decision, published by the European Commission on 13 December 2022, is based on the EU-U.S. Data Privacy Framework (DPF) – meant to replace the Privacy Shield invalidated by the CJEU in the Schrems II judgment. The key component of the DPF is the EU-US Data Privacy Framework Principles, which were issued by the U.S. Department of Commerce. The DPF is only applicable to U.S. organisations which have self-certified. The EDPB has now adopted its Opinion on the Draft Decision, which considers both the commercial aspects and U.S. public authorities’ access and use of data.

Rob has the full announcement on his site here as well as the embedded 54-page(!) opinion. Looks like there’s still much work to be done!

So, what do you think? Will the EU-U.S. Data Privacy Framework address the Privacy Shield’s shortcomings? Or will there be a “Schrems III” decision? 😉 Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.