New EU - US Data Privacy Framework (“Privacy Shield II”)
Update: EDPB Opinion – “Improvements have been made, concerns remain”
- Author: Ioanna Zacharopoulou, DP-Dock GmbH
- Last updated: March 2023
- Category: Data Security
Ever since the EU – US Privacy Shield was abolished in July 2020, the data transfers between the EU and third countries (especially the US) for which no adequacy decision has been published, are a complex topic. The signing of Standard Contractual Clauses (“SCCs”) a predetermined, albeit “stiff” contractual text has acted as the sole mechanism ensuring the safety of said transfer up until the EU - US Data Privacy Framework (“DPF”) was introduced by the President Biden administration in October 2022 as a way of facilitating the data flows to and from the US.
Considerably, the DPF has been under much scrutiny from the European Commission. February 28, 2023, the European Data Protection Board (“EDBP”) published its Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework. Even though the EDPB agrees that improvements have been made to the DPF principles, it argues that there are still changes to be made. More specifically, its concerns circle around the complexity of the DPF text and the difficulty to navigate through its annexes as well as the lack of consistency and transparency in regard to certain definitions or lack thereof. Furthermore, the EDPB appears to be thoughtful towards DPF’s approach to the right of access and the right to object as well as, the lack of clarity in relation to the application of the DPF Principles to processors, and the broad exemption for publicly available information.
What is also very important for the EDPB is that the safety of transfers remains on the same level and can be guaranteed in case more transfers than the initial one take place.
As a next step, the DPF will now need to be approved by a committee of Member States representatives, whereas the European Parliament will also play a decisive role in examining all legal aspects of the DPF. A clear opinion on whether the DPF is eventually going to be implemented is something that cannot be provided with yet.
You can find the EDPB Opinion 5/2023 with a good four page summary here.
