Trans-Atlantic Data Privacy Framework is Still a Work in Progress

EDPB issues its opinion on the framework, saying many things still need to clarify, developed, or further detailed

DPF Privacy Policy

You may have heard about the Trans-Atlantic Data Privacy Framework (DPF), and in this article, we’ll explain where it’s standing now and why you should care. Because it may be related to the way your data is being stored, shared, and processed on the Internet.

What is the Trans-Atlantic Data Privacy Framework?

The Trans-Atlantic Data Privacy Framework, or DPF for short, is a legal framework that helps US and EU companies work together to address the differences in legal requirements for data protection in both regions. It enables companies to self-certify to demonstrate compliance with European Union (EU) laws on personal data privacy and other trade regulations.

Speaking of EU laws, the main one is the General Data Protection Regulation (GDPR), which was enacted in May 2018 to govern how companies handle personal data. And now, with the DPF, the United States and the EU want to create a framework to enable continued data transfers across borders.

The DPF is meant to supplement existing agreements like Privacy Shield, which was deemed insufficient to deal with the unique nature of transatlantic data flows and their implications for privacy protection.

This framework is not mandatory, but many companies with EU operations or customers may find that they benefit from complying with it.

EDPB’s opinion on the EU-U.S. Data Privacy Framework

On the last day of February, the European Data Protection Board (EDPB) issued its Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework.

In the Opinion, the EDPB recognized substantial improvements in the proposed EU-U.S. Data Privacy Framework (DPF) when compared to Privacy Shield whilst also stating that a number of aspects of the DPF need to be clarified, developed, or further detailed.

The EDPB positively notes the improvements made in the DPF, particularly regarding the introduction of the principles of necessity and proportionality and the individual redress mechanism for EU data subjects. Also, it takes into account the commitments of U.S. authorities in enforcing the DPF, and considers that this enforcement should be adequately monitored.

However, the EDPB added that DPF’s complexity might make it difficult for some stakeholders to understand, while some key definitions are missing from the text.

They also find that the exceptions to the right to access may be too broad in the DPF and that further guarantees should be provided with regard to the possibility of transfers of data of EU data subjects. Likewise, additional safeguards are necessary in the context of automated decision-making.

The EDPB thinks that the DPF does not introduce a requirement for prior authorization by an independent authority for bulk data collection and thinks safeguards in this context may be insufficient.

Further, they think that the new redress mechanisms represent a positive evolution when compared to Privacy Shield. In particular, the Data Protection Review Court offers reinforced guarantees, for instance, in terms of independence. However, clarifications on certain aspects, such as access to information by judges, may still be required.

Related to that, the EDPB believes that the general use of the standard response by the Data Protection Review Court may not adequately take into consideration the balance between the rights of the individuals and concerns of national security.

Finally, writing about the effectiveness of EO 14086, the EDPB thinks it will depend on adopting policies and procedures for its implementation by the U.S. Intelligence Agencies. To that end, they believe that both the adoption and entry into force of the DPF should be made conditional on the adoption of said policies and procedures.

What’s next for DPF?

While the Opinion of the EDPB is not binding, it is expected to influence both Member State representatives and the European Parliament in their respective tasks.

So, the following steps involve the approval of the DPF by a committee of Member States’ representatives, with the European Parliament likely to continue scrutinizing the process.

We’ll see where this goes, and in the meantime — as well as when the DPF is ratified — we will continue to rely on our VPNs to get around the Internet in a more anonymous fashion.