EDPB Issues First Report on EU-U.S. Data Privacy Framework

Hunton Andrews Kurth’s Privacy and Cybersecurity

Email

212 309 1223 direct

EDPB Adopts First Report Under Data Privacy Framework

by: Hunton Andrews Kurth’s Privacy and Cybersecurity of Hunton Andrews Kurth - Privacy and Information Security Law Blog-Hunton Andrews Kurth

Wednesday, November 6, 2024

Print Mail Download info_icon_img

/>i

On November 4, 2024, the European Data Protection Board (“EDPB”) adopted its first report (the “Report”) under the EU-U.S. Data Privacy Framework (“DPF”), welcoming the efforts made by U.S. authorities and the European Commission to implement the DPF.

The Report follows the EDPB’s review of the European Commission’s adequacy decision for the DPF, which is required by Article 3 of the decision. The review focused on the commercial aspects of the DPF, and on access by U.S. public authorities to personal data transferred from the EU to DPF-certified organizations. With respect to the DPF’s commercial aspects, the EDPB noted that the U.S. Department of Commerce took all relevant steps to implement the certification process for U.S. companies, including developing a new website, updating procedures, engaging with companies, and conducting awareness-raising activities. However, it also noted the low number of eligible complaints received from data subjects in the first year of the DPF, and encouraged the Department of Commerce and the Federal Trade Commission to proactively increase ex officio investigations as regards substantial compliance of certified organizations with all DPF Principles.

The EDPB also requested practical guidance from the Department of Commerce on the Accountability for Onward Transfer Principle of the DPF, to clarify the requirements that DPF-certified organizations receiving personal data from EU exporters need to comply with when transferring such data to other third countries, as well as guidance on the notion of “HR Data.”

With respect to access by U.S. public authorities, the Report focused on the implementation of additional safeguards under Executive Order 14086, stating that the EDPB would have welcomed an opportunity to discuss examples of how the principles of necessity and proportionality have been specifically interpreted and applied at agency level. Among other observations, the EDPB noted significant improvements in the provision of effective redress, in particular with respect to the powers of the Data Protection Review Court, but stated that the redress mechanism should remain a priority during future periodic reviews.

The EDPB advised that the next review of the DPF take place within less than four years.