At its last plenary session, the European Data Protection Board (EDPB) adopted its first report on the European Union (EU) – United States Data Privacy Framework (DPF), as well as a statement on recommendations on access to data by law enforcement authorities.
On 4 November 2024, the EDPS met in plenary session and adopted several important documents.
A report on the EU-US adequacy decision
A report on the first review of the EU-US adequacy decision was thus adopted by the EDPS, after the European Commission published its own on 9 October.
The EDPS welcomes the efforts made by the US authorities and the European Commission to implement the DPF, including the appeal mechanism, since the adoption of the adequacy decision in July 2023. According to the EDPS, the establishment of an appeal mechanism must be accompanied by regular monitoring by the US authorities of compliance with the DPF requirements by certified companies. The EDPS further encourages the development of guidance by the US authorities, clarifying the compliance requirements for certified companies when transferring data received from EU exporters.
As regards access by US public authorities to EU data received by certified bodies, the EDPS invites the European Commission to monitor the practical functioning of the various safeguards – for example, how the principles of necessity and proportionality are interpreted and applied by the competent authorities. It also invites it to monitor developments in US legislation, in particular the Foreign Intelligence Surveillance Act (FISA) which regulates the collection of personal data of foreign nationals by US intelligence services.
The EDPS recommends to the European Commission that the next review of the DPF takes place within a maximum of three years.
A statement on access to data by law enforcement agencies
During this plenary, the EDPS also adopted a statement on the recommendations published in June 2024 by the High-Level Group on Access to Data for Effective Law Enforcement (HLG).
Since its launch in June 2023, the HLG has produced 42 recommendations, including on encryption and the need to harmonise rules on data retention.
In this statement, the EDPS expresses concern that law enforcement authorities may be equipped with excessive capacities. He highlights a high risk of serious interference with fundamental rights, in particular as regards data retention, security and encryption.
While the EDPS notes positively that the Recommendation could lead to the establishment of uniform conditions for data retention, it would not welcome a broad and general obligation to retain data in electronic form by all service providers.
This statement also highlights the importance of preserving the use of encryption to avoid negatively affecting privacy and confidentiality.