At the plenary session of the EDPB, which was held from Zagreb for the first time, under the chairmanship of the Vice-President of the European Data Protection Board and Director of the Personal Data Protection Agency Zdravko Vukić, the first report* of the EU-US Framework was adopted -a for data protection (DPF – EU-US Data Privacy Framework), as well as the Statement on the recommendations of the High-Level Group (HLG – High-Level Group)** on access to data for effective law enforcement.
The EDPB welcomes the efforts of the US authorities and the European Commission to implement the DPF and notes several developments that have occurred since the adoption of the adequacy decision in July 2023.
Regarding the commercial aspects, ie the application and enforcement of the requirements applicable to self-certified companies under this framework, the EDPB notes that the US Department of Commerce has taken all relevant steps to implement the certification process. This includes developing a new website, updating procedures, collaborating with companies and conducting awareness activities.
In addition, a legal protection mechanism for EU individuals has been implemented and there are comprehensive guidelines for handling complaints published on both sides of the Atlantic. However, the small number of complaints received so far under the DPF underscores the importance of the initiation of monitoring activities by the US authorities regarding the compliance of DPF-certified companies with the DPF principles.
The EDPB encourages the development of guidance from US authorities, clarifying the requirements that DPF-certified companies should comply with when transferring personal data received from the EU. Guidance from US authorities on HR data would also be welcome. The EDPB expresses its willingness to provide feedback on these guidelines.
Regarding US public authorities’ access to personal data transferred from the EU to certified organizations, the EDPB focused on the effective implementation of the safeguards introduced by Executive Order 14086 into the US legal framework, such as the principles of necessity and proportionality and the new legal protection mechanism . The Committee believes that the elements of the legal protection mechanism have been established; at the same time, it renews the call to the European Commission to monitor the practical functioning of various protective measures, eg the implementation of the principles of necessity and proportionality. The EDPB also recommends that the Commission monitor future developments regarding the US Foreign Intelligence Surveillance Act, particularly given the expanded reach of Section 702 following its reauthorization by the US Congress earlier this year.
EDPB Deputy President Zdravko Vukić said: “We are glad that progress has been made since the adoption of the adequacy decision thanks to the fruitful cooperation between the US authorities, the European Commission and the EDPB. At the same time, there is still room for improvement and we should continue to work together to maintain a high level of data protection and protect the rights and freedoms of individuals in the EU.”
Finally, the Committee recommends that the EU-US Adequacy Decision should be reviewed within three years or less.
The statement on the recommendations of the HLG on access to personal data for the purpose of effective law enforcement by public authorities emphasizes that the fundamental rights of individuals must be protected. While the EDPB supports the goal of effective law enforcement, it points out that some of the HLG’s recommendations could cause serious violations of fundamental rights, especially respect for privacy and family life.
Although the EDPB positively notes that the recommendation can lead to the establishment of equal conditions for data retention, it considers that a broad and general obligation to retain data in electronic form by all service providers would create a significant interference with the rights of individuals. Therefore, the EDPB questions whether this would meet the requirements of necessity and proportionality from the Charter of Fundamental Rights of the EU and the case law of the Court of Justice of the European Union (CJEU).
In its statement, the EDPB also emphasizes that recommendations regarding encryption should not prevent its use or weaken the effectiveness of the protection it provides. For example, introducing a client-side process that allows remote access to data before it is encrypted and sent over the communication channel or after it is decrypted at the recipient would in practice weaken the encryption. Maintaining the protection and effectiveness of encryption is important to avoid a negative impact on respect for privacy and confidentiality, and to ensure the protection of freedom of expression and economic growth that depend on reliable technologies.
* In accordance with Art. 3 EU-US adequacy decision, the European Commission is obliged to review the adequacy decision one year after its adoption. The review meeting was held in Washington on July 18 and 19, 2024, and the European Commission was accompanied by five representatives of the EDPB.
** The HLG was launched by the European Commission in June 2023 and is co-chaired by the Commission and the rotating Presidency of the Council. It was launched with the aim of researching the challenges for experts in law enforcement related to data access and proposing solutions and recommendations.
In June 2024, the HLG published 42 recommendations for the further development of EU policies and legislation, structured as “capacity building measures”, “industry cooperation and standardization” and “legislative measures”. The recommendations specifically relate to encryption, cooperation with industry as well as between public authorities and the need for harmonized data retention rules.