EDPB says concerns remain with ‘Privacy Shield 2.0’ framework

In an influential, though non-binding, opinion concerning ‘Privacy Shield 2.0’ (54-page / 1.6MB PDF), the European Data Protection Board (EDPB) raised concerns that the proposed framework does not provide for data transferred from the EU to the US to be handled in accordance with data protection standards that are essentially equivalent to those that apply in the EU, as EU law requires.

The European Commission is empowered under the EU GDPR to issue so-called ‘adequacy’ decisions, which effectively declare that a jurisdiction outside of the European Economic Area (EEA) provides an adequate level of protection for personal data. Organisations can transfer data to these jurisdictions without the need for additional safeguards to be applied – like standard contractual clauses (SCCs), one of the other legal tools the GDPR provides for that facilitate international data transfers.

Currently there is no adequacy decision in place applicable to EU-US data transfers. In 2020, the Court of Justice of the EU (CJEU), in the so-called ‘Schrems II’ ruling, invalidated the Commission’s adequacy decision in respect of the original EU-US Privacy Shield. Since then, EU and US negotiators have been seeking to develop a replacement framework.

Last March, the European Commission and the White House jointly announced that a new framework for transatlantic data transfers – the EU-US data privacy framework – had been agreed in principle. The proposed new framework has been dubbed ‘Privacy Shield 2.0’. In October 2022, US president Joe Biden signed an executive order endorsing the framework and making a series of commitments aimed at addressing the issues the CJEU identified with the original Privacy Shield. The European Commission subsequently issued a draft adequacy decision in respect of Privacy Shield 2.0 in December 2022.

Before the Commission can adopt Privacy Shield 2.0, however, it is obliged to consider the opinion of the European Data Protection Board (EDPB) as well as views expressed by MEPs. It is also obliged to accept the binding decision of a committee made up of representatives from EU member states.

The EDPB has now issued its opinion. According to the watchdog, some of the issues identified by the CJEU in relation to the original Privacy Shield have been resolved – issues such as the independence of US oversight bodies from the US government in respect of assessing complaints over the handling of EU citizens’ data. However, it said concerns remain and it has asked the Commission to clarify some issues.

Specific issues it has raised include in relation to whether the proposed framework does enough to ensure that US authorities’ access and use of personal data transferred from the EU is limited to that which is strictly necessary.

In this respect, the EDPB said “the system of law enforcement investigative measures in the US could be considered as generally meeting the requirements of necessity and proportionality in relation to the fundamental rights to private life and data protection” and it welcomed moves to give EU citizens legal avenues to obtain redress against misuse of their data in the US. However, among other things, it called for greater clarity on safeguards applicable to the onward transfer of EU citizens’ data outside of the US and raised concerns in relation to the scope for “bulk collection” of EU citizens’ data for national security purposes.

In further relation to access and use of data for national security purposes, the EDPB said that commitments made in Biden’s executive order in respect of US authorities’ access and use of EU citizens’ data for national security purposes should be reflected in updated policies and procedures of all US intelligence agencies before the Commission adopts its adequacy decision. There is a commitment within the Biden executive order for this to happen by 7 October 2023.

The EDPB also flagged some issues with the principles that businesses wishing to benefit from Privacy Shield 2.0 would have to self-certify to. Those issues include a lack of consistency in the way some “essential terms” are defined, it said, while it also highlighted that the level of protection the framework provides against automated decision-making and profiling appears to vary depending on the sector of the US economy a business operates in. It called for “specific rules” in relation to automated decision making to be built into the framework “to provide sufficient safeguards, including the right for the individual to know the logic involved, to challenge the decision and to obtain human intervention when the decision significantly affects him or her”.

EDPB chair Andrea Jelinek said: “While we acknowledge that the improvements brought to the US legal framework are significant, we recommend to address the concerns expressed and to provide clarifications requested to ensure the adequacy decision will endure.”