Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: Unpacking the EDPB opinion on the draft adequacy decision under the EU-US DPF

The European Data Protection Board ('EDPB') published, on 28 February 2023, Opinion 5/2023 ('the Opinion') on the European Commission Draft Implementing Adequacy Decision ('the Draft Adequacy Decision') on the adequate protection of personal data under the European Union-US Data Privacy Framework ('EU-US DPF'). Overarchingly, the Opinion concludes that the EDPB welcomes the improvements introduced by the Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities ('the Executive Order'), whilst highlighting key areas of concern, as well as areas for further clarification. OneTrust DataGuidance Research provides a summary of the key issues considered by the EDPB in its Opinion.

LV4260 / Essentials collection / istockphoto.com

Background

The Draft Adequacy Decision, published by the European Commission on 13 December 2022, is meant to replace the Privacy Shield invalidated by the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Judgement), and comes after the issuance of the Executive Order by U.S. President Joseph Biden.

The Opinion clarifies that the EDPB's key objective is to give an opinion to the European Commission on the assessment of the adequacy of the level of protection afforded to individuals whose personal data is transferred to the US.

US data protection framework

The Opinion highlights that the EDPB does not expect the EU-US DPF to replicate European data protection law. However, the Opinion provides that, regarding adequacy, the EDPB does consider Article 45 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the case law of the CJEU in determining whether third country's legislation provides a level of protection essentially equivalent to that guaranteed in the EU.

Regarding access to personal data transferred from the EU to US, the Opinion notes that a number of legal bases, limitations, and safeguards apply. This includes the U.S. Constitution in regard to law enforcement, and the Foreign Intelligence Surveillance Act ('FISA'), Executive Order 12333 on United States Signals Intelligence Activities ('Executive Order 12333'), the Executive Order, and Executive Order 5517-2022 establishing a Data Protection Review Court ('DPRC'), which provide a legal basis for accessing personal information for national security purposes.

As the US does not have a specific and comprehensive federal data protection framework, the Opinion outlines that the Draft Adequacy Decision of the European Commission is based on the EU-US DPF. Notably, the Opinion points out that the EU-US DPF principles clarify that the GDPR is not affected in its applicability, and existing privacy obligations under US law are not limited.

General overview

Regarding the EU-US DPF principles, the Opinion welcomes updates, which will constitute a binding legal framework for EU-US DPF organisations, but detailed that the EU-US DPF principles are largely the same as those under the Privacy Shield. In addition, the Opinion states that, although the assessment contained in the Draft Adequacy Decision relates to the EU-US DPF principles, it would nevertheless welcome further information about the US legal context in which EU-US DPF organisations will operate to have a better understanding of the interaction of the EU-US DPF with US law.

More specifically, the Opinion provides that adherence to the EU-US DPF principles by EU-US DPF organisations may be limited to the extent necessary to comply with a court order or to meet public interest, law enforcement, or national security requirements. Consequently, the Opinion recommends that the European Commission, in its Draft Adequacy Decision, clarify the scope of exemptions, including applicable safeguards under US law to better identify the impact of the exemptions on the level of protection for data subjects.

Similarly, the Opinion notes a general lack of clarity throughout the EU-US DPF. This includes the use of consistent terminology, with the EDPB singling out the inconsistent use of terms, including 'processing', 'agent', and 'processor'. Which may result in legal uncertainty and possible loopholes for the protection of personal data. Moreover, the EU-US DPF principles fail to distinguish between those principles applicable to agents and those applicable to controllers. However, the EDPB does provide that terms do not have to mirror GDPR terminology.

Further issues of uncertainty are noted regarding the purpose limitation principle, with terms, such as 'different purposes', 'materially different purposes', or 'a use that is not consistent with', used by the EU-US DPF principles without a clear definition.

International commitments

In relation to international commitments based on Article 45(2)(c) of the GDPR, the Opinion highlights that the US is a party to several international agreements that guarantee the right to privacy, including the International Covenant on Civil and Political Rights, the Convention on the Rights of the Child, and the Budapest Convention on Cybercrime. In addition, the Opinion points out that the US is a member of the Organisation for Economic Co-operation and Development ('OECD'), which encompasses the Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data and the Declaration on Government Access to Personal Data held by Private Sector Entities, and the Asia-Pacific Economic Cooperation ('APEC') Cross-Border Privacy Rules ('CBPR') System. The Opinion also notes the US' participation as an Observer State in the work of the Consultative Committee of the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108').

Likewise, the Opinion welcomes the developments at the state level in relation to data privacy legislation, namely in California, Colorado, Connecticut, Virginia, and Utah, alongside the draft American Data Privacy and Protection Act ('ADPPA') at a federal level.

Data subject rights

The Opinion concludes that data subject rights under the EU-US DPF principles remain unchanged when compared to the Privacy Shield, retaining some of the concerns raised in the Article 29 Working Party Opinion 01/2016 on the EU - U.S. Privacy Shield draft adequacy decision1. More specifically, the Opinion raises concerns regarding the scope of the right to access, the list of exemptions favouring EU-US DPF organisations, including the exception to the right of access for publicly available information and information from public records, among other things.

Furthermore, the Opinion requests clarification on how individuals can exercise their right to object, and recommends that the right to object be guaranteed at any given moment, and not limited to the use of the data for direct marketing. Equally, the Opinion highlights the need for clarification on the notice and choice principles for HR data intended to be used for a non-employment purpose, maintaining that further processing for non-employment purposes will usually be considered to be incompatible.

Onward transfers

In relation to onward transfers, the Opinion details concerns about the exemption to needing a contract for intra-group transfers between controllers in cases where the onward data transfer is for 'occasional employment related operational needs'. Further to the above, the Opinion reiterates the request that EU-US DPF organisations assess, prior to an onward transfer, that the mandatory requirements of the third country's national legislation applicable would not undermine the continuity of protection of the data subjects whose data is transferred.

Onward transfers gain particular attention in the Opinion, which emphasises that onward transfers to third countries may lead to interferences with individuals' fundamental rights, inviting the European Commission to clarify that the safeguards imposed by the initial recipient on the importer in the third country, must be effective, prior to an onward transfer in the context of the EU-US DPF.

Automated decision-making and profiling

In addition, the Opinion clarifies that specific rules on automated-decision making are needed in the EU-US DPF, including the right for individuals, to know the logic involved, to challenge the decision, and to obtain human intervention when the decision significantly affects them. Notably, the Opinion rejects the European Commission's argument that EU-US DPF is unlikely to affect the level of protection as regards personal data that has been collected in the EU since any decision based on automated processing would typically be taken by the controller in the EU. Rather, the Opinion counters, that it cannot be ruled out that automated decision-making could be used by a US-based controller on data transferred under the Draft Adequacy Decision (e.g. in the context of employment, for assessing performance at work, insurance, or housing).

Enforcement and redress

As the EU-US DPF continues to rely on a system of self-certification by EU-US DPF organisations, the Opinion emphasises the importance of compliance checks in regard to substantive requirements, which it notes the EDPB will closely monitor, including in the context of the periodic reviews. Furthermore, the Opinion acknowledges the renewed commitment by the Federal Trade Commission ('FTC') and Department of Trade ('DoT') to prioritise the investigation of alleged EU-US DPF violations, take appropriate enforcement action against entities making false or deceptive claims of participation, and monitor enforcement orders concerning EU-US DPF violations and cooperate with EU data protection authorities ('DPAs').

In relation to redress, the Opinion welcomes the Draft Adequacy Decision's seven redress avenues provided to EU data subjects if their personal data is processed in violation of the EU-US DPF. However, with regard to the arbitration mechanism, the Opinion notes that this redress option is not available with respect to the exceptions to the EU-US DPF principles, and more generally it welcomes further details on the legislation mentioned in regard to the additional avenues for judicial redress. Finally, the Opinion welcomes the FTC's letter of intent to work closely with EU DPAs in addressing the complaints of data subjects. Nonetheless, the Opinion outlines the need for further information on the possibility of EU DPAs giving advice on remedial or compensatory measures that could include recommendations for fines, and the extent to which EU DPAs action may be taken into account as evidence for FTC or DoT enforcement.

Access by public authorities

The EDPB focuses in large part on the access and use of personal data by US public authorities for criminal law enforcement purposes, recognising the more detailed assessment contained in the Draft Adequacy Decision compared to the previous adequacy decision in regard to access by federal law enforcement authorities. However, in regard to state law enforcement authorities, the Opinion invites the European Commission to further assess the element of state law protection in future reviews. In addition, the Opinion determines that the system of law enforcement investigative measures in the US could be considered as generally meeting the requirements of necessity and proportionality in relation to the rights to private life and data protection.

Further, based on the information available, the Opinion considers the oversight of bodies, including Privacy and Civil Liberties Officers, the Inspector General, and specific committees in the U.S. Congress, to represent a fairly robust, independent oversight mechanism. In relation to redress on the other hand, the Opinion welcomes the clarifications provided by the European Commission as to the number of legal avenues for redress for individuals to rely on. Nevertheless, the Opinion requests further clarification on the remedies available to data subjects, and whether they allow the data subject to have access to personal data relating to them, or obtain the rectification or erasure of such data, as required by the CJEU.

Further use of collected information

The Opinion positively acknowledges that the Draft Adequacy Decision assesses the further use of data accessed by law enforcement authorities within the US. However, the Opinion highlights that only one example was provided, and recommends that the European Commission include further clarification in the Draft Adequacy Decision on the principles and safeguards applicable to the further use of data. Similarly, in regard to onward transfers, the Opinion invites the European Commission to further clarify the applicable rules and safeguards for onward transfers, further use, and disclosure of personal information, collected for law enforcement purposes in the US and subsequently transferred to third countries, including via international agreements, as only one limited example for the same was provided in the Draft Adequacy Decision.

Access for national security

Notably, regarding access to personal data for national security purposes, the Opinion outlines its understanding that the main purpose of the Executive Order is to prescribe limits for the collection and processing of personal data in the context of foreign intelligence, regardless of which surveillance programme is used and where the data is obtained from. Thus, the Opinion considers the safeguards established by the Executive Order to also apply in the context of the surveillance programmes applicable to personal data in transit taking place under Executive Order 12333. On the legitimate objectives for which signals intelligence activities may be conducted, the Opinion underlines the consideration of the Executive Order that 'signals intelligence collection activities shall be as tailored as feasible', and that 'the Intelligence Community shall consider the availability, feasibility, and appropriateness of other less intrusive sources', to provide general necessity and proportionality requirements.

Nonetheless, the Opinion concedes that the requirement provided in the Executive Order must be further implemented through agency policies and procedures that transpose them into concrete directions for day-to-day operations. Specifically, the Opinion recommends the European Commission assess the updated policies and procedures and share this assessment with the EDPB.

More generally, the Opinion provides an examination of data collection under specific legislation, including Section 702 of FISA and Executive Order 12333, welcoming the Privacy and Civil Liberties Oversight Board's ('PCLOB') decision to conduct an oversight project to examine the surveillance programme that the executive branch operates pursuant to Section 702 of FISA. On the oversight project, the Opinion stresses that the findings of the PCLOB's report on Section 702 of FISA would be necessary to adequately and comprehensively assess the privacy safeguards provided and applied in the context of this surveillance programme. In relation to Executive Order 12333, the Opinion welcomes the general public report issued by the PCLOB on Executive Order 12333, but notes that the report remains general as most of the findings are classified, which creates uncertainty and lack of clarity on how Executive Order 12333 is applied.

Bulk collection

The Opinion welcomes the Executive Order's prioritisation of targeted collection over bulk collection, and acknowledges that the Executive Order provides for new safeguards and limits to the collection and use of data collected outside the US, as the limitations of FISA or other more specific US laws do not apply. Nevertheless, the Opinion notes that the Executive Order permits the bulk collection of personal data, highlighting that the collection of large quantities of data indiscriminately presents higher risks for individuals than targeted collection, and accordingly requires additional safeguards to be adduced. Equally, the EDPB recognises that, while data collected in bulk shall be used in pursuit of one or more of the six objectives provided under the Executive Order, the scale of collection remains potentially broad. This is in consideration of the possible addition of legitimate objectives by the U.S. President.

Notably, the Opinion highlights the importance placed on prior independent authorisation in the context of bulk collection of data for national security purposes, addressing the fact that the Executive Order does not provide for such independent prior authorisation for bulk collection, and that this is not foreseen under Executive Order 12333 either. In regard to the retention of data collected in bulk, the Opinion outlines that the Executive Order does not provide clear definitions for retention periods, and that the Draft Adequacy Decision does not allow for a determination of whether the retention period of data collected in bulk is necessary and proportionate. Accordingly, the EDPB calls on the European Commission to provide clarification on the different retention periods in practice and to share its assessment on the necessity and proportionality of the retention periods applicable to US persons.

On the point of further dissemination of the data collected, including in the context of bulk collection, the Opinion highlights that the Executive Order does not provide an express prohibition of dissemination for other purposes than national security purposes, when disseminating to US competent authorities, and consequently calls on the European Commission to further clarify the applicable rules and safeguards in this case. To this end, the Opinion raises concerns that data acquired by the competent intelligence community authorities could be disseminated to US competent authorities for the purpose of combating crime, including serious crimes, in the context of criminal investigations, thereby providing law enforcement authorities, without any further specific restrictions, the possibility to obtain data that they would have been prohibited from collecting directly, again calling on the European Commission to further assess this point.

Similar concerns are cited in the Opinion regarding the dissemination of personal data collected in bulk, noting that the European Commission did not consider the existence of international agreements concluded with third parties in its adequacy assessment, outlining that it considers the conclusion of bilateral or multilateral agreements with third countries for the purposes of intelligence cooperation are likely to affect the data protection legal framework as assessed.

Similarly, the Opinion stresses that the derogation remains unclear with regard to the temporary bulk collection in view of targeted collection and the remaining safeguards to be applied, and therefore calls on the European Commission to further assess these elements.

Oversight

Importantly, with regard to oversight of US intelligence activities, the Opinion clarifies that such activities are subject to a multi-layered oversight process, divided into internal and external oversight mechanisms. In this regard, internal oversight refers to the periodic oversight of signals intelligence activities by oversight and compliance officials, including Privacy and Civil Liberties Officers and Inspectors General, while external oversight refers to bodies, such as the PCLOB and the Intelligence Oversight Board.

Additionally, in this regard, the Opinion reiterates the European Court of Human Rights' ('ECtHR') position on interferences with the right to privacy, noting on several occasions that they should be subject to an effective, independent, and impartial oversight system provided for by either a judge or another independent body.

Internal oversight

Against this background, in relation to internal oversight mechanisms, the Opinion takes issue with the fact that, although Inspectors General have extensive investigatory powers, they do not have any binding remedial powers and can only issue non-binding recommendations. Furthermore, the Opinion adds that, although Inspectors General are not prevented or prohibited from carrying out or completing any audit or investigation, or from issuing any subpoena, they remain under the control of the relevant head of department, who may prohibit them from doing so in cases where they determine that such a prohibition is necessary to preserve national interests. On this point, however, the Opinion highlights that the head of a department has to inform responsible committees of the U.S. Congress of the exercise of this authority.

Notably, the EDPB expresses that there have not been significant amendments to the internal oversight mechanism and generally finds the internal oversight mechanisms in place sufficient.

External oversight

In regard to external oversight, the Opinion addresses the role of the PCLOB, as well as its new functions with regard to the new redress mechanism under the Executive Order. Among the functions attached to the PCLOB's role, the Opinion notes the obligation to consult the PCLOB while intelligence agencies update their internal policies and procedures to implement the Executive Order, as well as its role in carrying out a review of the same and assess their compliance with the Executive Order.

In this regard, the Opinion notes that the PCLOB is merely 'encouraged', but not obliged to carry out a review on whether the safeguards in Executive Order are fully complied with. Additionally, the Opinion highlights that the PCLOB's access to information is restricted if the U.S. President authorises the conduct of 'covert actions' by departments, agencies, or entities of the U.S. Government. As such, the Opinion calls on the European Commission to pay special attention to whether and how the PCLOB's recommendations have been implemented at agency level in its future reviews, if the Draft Adequacy Decision is adopted.

Nonetheless, the Opinion welcomes the fact that the results of the PCLOB's reports are intended to be made public and recognises the importance of the PCLOB's recommendations in ensuring privacy safeguards. In addition, the Opinion welcomes the PCLOB's announcement that the publication of a follow-up report on Section 702 of FISA and expresses its regret that, in its review of the former Privacy Shield, among other deficiencies, the PCLOB had failed to issue follow-up reports on how safeguards of U.S. Presidential Policy Directive 28 ('the PPD-28') are applied, as well as a general updated report on Section 702 of FISA. Accordingly, the Opinion notes that, if the Draft Adequacy Decision is adopted, in future reviews of the EU-US DPF, EDPB security-cleared experts should be able to review additional documents and discuss classified elements to ensure that the information in the reports can be adequately assessed, while considering relevant national security interests and applicable privacy protections.

Moreover, the Opinion notes that, pursuant to the Executive Order, the Civil Liberties Protection Officer of the Office of the Director of National Intelligence ('CLPO') and the DPRC are to report rule violations to the Assistant Attorney General for National Security, who in turn reports those violations to the Foreign Intelligence Surveillance Court ('FISC'). Notably, the Opinion highlights that the FISC, which is responsible for the oversight of personal data collection under Section 702 of FISA, oversees the certification process for the collection of foreign intelligence information pursuant to the same section, and authorises electronic surveillance, physical search, and other investigative measures for foreign intelligence purposes. In this regard, the EDPB specifies that the FISC does not authorise individual surveillance measures, but rather authorises surveillance programmes in their entirety.

Accordingly, the Opinion states its concern that the FISC does not provide effective judicial oversight on the targeting of non-US persons in surveillance programmes, an aspect which is not resolved by the Executive Order. In addition, the EDPB notes that, although the FISC does not appear to be bound by the additional safeguards of the Executive Order when certifying the programmes authorising the targeting of non-US persons, it is of the view that the additional safeguards should nevertheless be taken into account. As such, the EDPB added that the reports of the PCLOB would be particularly useful to assess how the safeguards will be implemented and applied when data is collected under Section 702 of FISA.

Availability of effective remedies to individuals

With regard to the availability of effective remedies, the Opinion stresses the importance of effective and enforceable rights of individuals, as enshrined in Article 47 of the Charter of Fundamental Rights of the European Union ('the Charter'), in finding an adequate level of data protection in a third country. In this regard, the Opinion notes the position relating to judicial remedies in the US system, where due to the U.S. Constitution's requirement of establishing sufficient 'standing', it is difficult to bring legal proceedings against the U.S. Government surveillance measures before ordinary courts.

As such, the EDPB welcomes the specific redress mechanism introduced by the Executive Order to handle and resolve complaints from non-US individuals, concerning US signals intelligence activities, where the standing requirement is not applicable and data subjects can thus invoke the safeguards provided for in the Executive Order. More specifically, the Opinion clarifies that the redress mechanism comprises two layers. Under the first layer, individuals are able to lodge a complaint with the CLPO, whereas under the second layer, individuals can appeal the CLPO's decision before the DPRC. In this regard, the Opinion considers that the CLPO, as an acting government official, does not have a sufficient degree of independence from the executive to fulfil the requirements of the right to effective judicial protection, and focuses its opinion and analyses on the sufficiency of the second layer of the mechanism, i.e. the DPRC.

The DPRC

In considering whether the establishment of the DPRC provides a sufficient redress mechanism in line with Article 47 of the Charter, namely that individuals have the right to an effective remedy before a tribunal previously established by law, the EPDB concludes that the specific redress mechanism created under the Executive Order 'is not per se insufficient', since, based on assessments of both the CJEU and the ECtHR, substantive safeguards are decisive in this context. In this regard, the EDPB highlights that the effectiveness of the remedy should be determined by assessing the powers and procedural guarantees that the authority possesses, and particularly whether it is independent of the executive and ensures the fairness of the proceedings. As such, the EDPB calls on the European Commission to continuously monitor whether the rules set forth in the Executive Order and any supplemental provisions, particularly those designed to foster the DPRC's independence, are fully implemented and function effectively in practice, noting that any amendments or changes to the EU-US DPF should be carefully reviewed.

The EDPB acknowledges several changes that mark improvements over the Privacy Shield with regard to measures ensuring the independent position of the DPRC; however, it also notes that the effectiveness of the safeguards introduced to maintain the independence of an entity nevertheless located within the executive remains to be seen in practice, and therefore calls on the European Commission to monitor how these safeguards are reflected in practice. Against this background, the EDPB urges the European Commission to clarify whether and how compliance with these requirements will be observed in the US, whether, and if so, under which conditions the U.S. President has the authority to dismiss or remove 'judges' from the DPRC, and that should the Draft Adequacy Decision be adopted, the abovementioned safeguards be considered a priority during the first joint review of the EU-US DPF.

Powers of the DPRC

Moreover, in assessing the DPRC's power to access information, the EDPB notes that, although the Draft Adequacy Decision states that the DPRC has access to all information necessary to review determinations made by the CLPO, it primarily obtains such information through the CLPO, which acts as an intermediary when the DPRC requires further information.

In this regard, the EDPB states that this means that, to a certain extent, the DPRC relies on the CLPO providing the necessary information, which itself is not independent and conducts the initial investigation of a complaint at the first stage of the redress procedure. As such, the Opinion welcomes the verification by the PCLOB during its annual reviews, of the redress mechanism, whether the DPRC has obtained full access to all necessary information. Consequently, the EDPB invites the European Commission to include this aspect in the joint reviews to examine the implications of the system in practice, if the Draft Adequacy Decision is adopted.

Additionally, with regard to the DPRC's remedial powers, the EDPB recalls that, under the new redress mechanism, decisions taken by the CLPO and by the DPRC have binding effect, in contrast to the position under the Privacy Shield. Nonetheless, the EDPB notes that the wording of Section 4(a) of the Executive Order creates some uncertainty as to the process of determining 'appropriate remediation', calling for clarity on the wording of the section, through the design of a measure to fully redress a violation, and consideration of 'the ways that a violation of the kind identified have customarily been addressed'. As such, the Opinion also calls on the European Commission to closely monitor the remediation measures adopted in practice. Moreover, the EDPB recognises that the European Commission should also clarify the notion of being 'adversely affected' under Section 4(d)(ii) of the Executive Order to ensure that no level of 'gravity' needs to be demonstrated by data subjects to have access to redress and appropriate remediation for violations of their rights.

Notably, the Opinion highlights its understanding that, while the Executive Order does not preclude recourse by data subjects to the courts of general jurisdiction in the US, it remains uncertain how such a court would apply the order and notes this as a to be explored further in future reviews, if the Draft Adequacy Decision is adopted.

Procedure for complaints

In relation to lodging complaints, the Opinion recognises that the Draft Adequacy Decision provides that data subjects who wish to lodge complaints must submit such complaints to a supervisory authority in an EU Member State responsible for the oversight of national security services and/or the processing of personal data by public authorities. In this regard, the Opinion reiterates its concerns over potential difficulties for individuals to identify the competent authority and notes that national DPAs offer a more appropriate channel for complaints.

Decisions of the DPRC

The Opinion recalls the standard response issued by the DPRC, whereby after its review of the complainant's application, the DPRC may only inform the data subject that their review had either not identified any covered violation or that it had issued a determination requiring appropriate remediation in that regard and does not reveal to the data subject whether they were subject to US intelligence activities. In this regard, the Opinion expresses concern that the Executive Order does not provide for any exceptions to this standard response, particularly since the DPRC's decision cannot be appealed and is final, and calls for the European Commission to pay particular attention to this issue during a review of the Draft Adequacy Decision, if adopted.

Implementation and monitoring of the Draft Adequacy Decision

Lastly, with regard to monitoring the adequacy of the decision, the Opinion outlines that the Draft Adequacy Decision will be subject to periodic checks by the European Commission, and that the U.S. Department of Commerce will hold meetings on a periodic basis with the European Commission, interested European DPAs, and appropriate representatives from the EDPB. Moreover, the Opinion notes that the review of the adequacy finding will take place after one year from the date of the notification of the adequacy decision to Member States and subsequently at least every four years. Here, the Opinion calls on the European Commission to carry out the subsequent reviews at least every three years, with a view to strengthening the continuous monitoring.

In relation to the EDPB and its representatives' practical involvement, the Opinion reiterates that any relevant documentation should be shared in writing with the EDPB, including correspondence, sufficiently in advance of the reviews. To this end, the Opinion recommends that, at the latest three months before the review is expected to take place, the modalities for the review are established and agreed upon between the European Commission, the U.S. Administration, and the EDPB.

Notably, the Opinion also welcomes Recital 212 of the Draft Adequacy Decision, which provides examples of modifications undermining the level of protection offered by the Executive Order that may justify the initiation of an 'emergency repeal procedure'.

For further information on the EU-US DPF, please see our previous Insight articles:

Alice Muasher Senior Privacy Analyst
[email protected]
Harry Chambers Senior Privacy Analyst
[email protected]


1. See at: https://ec.europa.eu/newsroom/article29/redirection/document/55929