After the EU Commission published a draft adequacy decision on data transfer to the USA, also called the “EU-US Data Privacy Framework” (DPF) ( we reported ), the European Data Protection Board (EDPB) has now published an opinion (Opinion 05/2023 )The European Data Protection .
The ECJ with Schrems I and Schrems II as stumbling blocks The European Data Protection
First, the EDPB clarifies that in Schrems I (C-362/14), the CJEU held that while the level of protection in the third country must be “essentially equivalent” to that guaranteed in the EU, the third country may use different means than the EU to achieve such a level of protection. Simply put, the third country does not have to adopt the GDPR; rather, singapore business fax list the principles must be reflected in its legislation.
Rights of data subjects restricted
The EDPB criticizes the overly restrictive nature of the data subjects ‘ right to information vis-à-vis US companies. According to the draft, your guide to website maintenance costs there is no right to information . The information is publicly available. The EDPB emphasizes that the right to information always exists, regardless of publication.
Data transfer to third countries as a circumvention option?
The EDPB is deeply concerned that the transfer of data. US companies to third countries will undermine EU data protection standards. Therefore, albania business directory the Committee urges that the data protection obligations imposed. US companies must also apply to recipients in third countries, as otherwise there is a risk of a lower level of data protection. This is intended to prevent circumvention of the Data Protection Framework.
Transparency in profiling and automated decision-making is necessary
When it comes to automated decision-making and profiling, the EDPB calls for concrete rules to ensure that data subjects understand the logic underlying the processes, so they can object to the processing, and if necessary, request human oversight of these specific data processing operations. The current example of Schufa already shows us in Germany that this is not a simple issue .
Cautiously optimistic about the use of personal data by US authorities
When it comes to access to and use of personal data by US authorities, a distinction must be made between law enforcement and national security.
The EDPB has no major objections to data processing for law enforcement purposes . It simply wants clarification . The legal options available to EU citizens to appeal against data processing and the extent to which they have access to. The deletion or correction of, their data. Overall, the EDPB considers the system of investigative measures used by law enforcement authorities in the US to be based on the requirements of necessity and proportionality with regard to respect for private life and data protection.
The EDPB believes the Commission has a duty to reassess this situation .
Data Protection Review Court is sufficiently independent
EO 14086 provides for a two-tiered redress mechanism . In the second tier, a data protection violation can be reviewed by the Data Protection Review Court (DPRC). However, doubts about its independence may arise, as the executive branch convenes the DPRC.
The EDPB therefore calls on the Commission to continuously monitor whether the DPRC’s independence is fully respected.
EDSA does not want to stand in the way
The statement points out numerous areas .While also highlighting the improvements over the previous regulation. It is clear that the EDPB intends to support the process positively.