At its plenary session on Monday 4 November, the European Data Protection Board (EDPB) adopted a report on the first review of the EU-US Data Privacy Framework (DPF), published by the European Commission on 9 October (see EUROPE 13500/19).
The EDPB is satisfied with the progress made since the adoption of the adequacy decision in July 2023, although there is still room for improvement.
Overall, the EDPB believes that the United States has taken the necessary measures to ensure the protection of transferred personal data, but that there is still work to be done on redress mechanisms for EU citizens and the handling of complaints.
The EDPB also encourages “the development of guidelines by the US authorities clarifying the requirements that DPF-certified companies should comply with when transferring personal data they have received from EU exporters”.
With regard to access by US public authorities to personal data transferred from the EU to certified organisations, the EDPB states that it has focused its examination on the effective implementation of the safeguards introduced, such as the principles of necessity and proportionality and the new redress mechanism.
Without mentioning any shortcomings, the Board reiterates its call for the European Commission to monitor the practical operation of the various safeguards and also recommends “following up on future developments concerning the Foreign Intelligence Surveillance Act”.
Finally, the EDPB recommends that the next review of the EU-US adequacy decision should take place within a maximum of three years.
The DPF was put in place in 2023, after several years of uncertainty following the Court of Justice of the European Union’s annulment of the two texts previously supposed to guarantee the protection of European personal data in the United States, the ‘Privacy Shield’ and the ‘Safe Harbor Framework’.
See the report: https://aeur.eu/f/e7g (Original version in French by Isalia Stieffatre)