On November 5, 2024, the European Data Protection Board (EDPB) announced the adoption, on November 4, 2024, of the EDPB Report on the first review of the European Commission Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework (DPF).

The Commission's first report on the adequacy decision of the EU-US DPF was published on October 9, 2024.

Enforcement mechanism

The EDPB highlighted that it welcomes the new role of the U.S. Department of Commerce (DOC) in implementing self-certification, oversight, and supervision processes. However, the EDPB also noted that regarding automated compliance checks specifically, automated means may complement but cannot substitute individual investigations and assessments. The EDPB while also welcoming the role of the U.S. Federal Trade Commission (FTC) in enforcement of the EU-US DPF, noted that there are very few complaints by concerned individuals that may actually trigger enforcement action, arguing that proactive enforcement action is needed.

Regarding complaints under the EU-US DPF, the EDPB provided that the very low number of eligible complaints submitted and the fact that complaints mostly concerned requests for deletion or access means that easy access to redress must be accompanied by proactive checks from competent U.S. authorities on compliance with the EU-US DPF Principles.

Notably, the EDPB outlined the need for further guidance from the DOC on issues including the Accountability for Onward Transfer Principle for US importers under the EU-US DPF, and 'HR Data' because of the divergence of interpretation between EU and US authorities.

In recognition of the US state privacy laws that have been enacted in 2024, the EDPB also stated that a robust federal data protection law would play a positive role in ensuring the stability of an adequacy decision under Article 45 of the General Data Protection Regulation (GDPR). However, the EDPB welcomed other developments including the FTC's use of its enforcement powers and the adoption of legislation in multiple US states on automated decision-making based on profiling.

Government access to data

The EDPB recommended that the Commission continue to monitor the practical functioning of different safeguards intended to ensure an essentially equivalent level of protection. The Commission should take into account the upcoming Privacy and Civil Liberties Oversight Board (PCLOB) reviews on the implementation of the necessity and proportionality requirements, and redress mechanism under Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086).

To ensure an adequate level of protection, the EDPB emphasized that the Commission should assess government acquisition of personal data by US intelligence agencies from data brokers and other commercial entities not captured by EO 14086. The EDPB welcomed that the next review of the EU-US DPF will be carried out within three years, not the statutory maximum period of four years, since the next re-authorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA) is due within two years.

You can read the press release here and the report here.