EDPB Adopts First Report Under Data Privacy Framework
Time 2 Minute Read

On November 4, 2024, the European Data Protection Board (“EDPB”) adopted its first report (the “Report”) under the EU-U.S. Data Privacy Framework (“DPF”), welcoming the efforts made by U.S. authorities and the European Commission to implement the DPF.

The Report follows the EDPB’s review of the European Commission’s adequacy decision for the DPF, which is required by Article 3 of the decision. The review focused on the commercial aspects of the DPF, and on access by U.S. public authorities to personal data transferred from the EU to DPF-certified organizations. With respect to the DPF’s commercial aspects, the EDPB noted that the U.S. Department of Commerce took all relevant steps to implement the certification process for U.S. companies, including developing a new website, updating procedures, engaging with companies, and conducting awareness-raising activities. However, it also noted the low number of eligible complaints received from data subjects in the first year of the DPF, and encouraged the Department of Commerce and the Federal Trade Commission to proactively increase ex officio investigations as regards substantial compliance of certified organizations with all DPF Principles.

The EDPB also requested practical guidance from the Department of Commerce on the Accountability for Onward Transfer Principle of the DPF, to clarify the requirements that DPF-certified organizations receiving personal data from EU exporters need to comply with when transferring such data to other third countries, as well as guidance on the notion of “HR Data.”

With respect to access by U.S. public authorities, the Report focused on the implementation of additional safeguards under Executive Order 14086, stating that the EDPB would have welcomed an opportunity to discuss examples of how the principles of necessity and proportionality have been specifically interpreted and applied at agency level. Among other observations, the EDPB noted significant improvements in the provision of effective redress, in particular with respect to the powers of the Data Protection Review Court, but stated that the redress mechanism should remain a priority during future periodic reviews.

The EDPB advised that the next review of the DPF take place within less than four years.

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page