Brussels, 7 April – The EDPB adopted a statement on the announcement of a new Trans-Atlantic Data Privacy Framework. The EDPB welcomes the commitments made by the U.S. to take ‘unprecedented’ measures to protect the privacy and personal data of individuals in the European Economic Area (EEA) when their data are transferred to the U.S. as a positive first step in the right direction.
The EDPB notes that this announcement does not constitute a legal framework on the basis of which EEA data exporters can transfer data to the U.S.. Data exporters must continue taking the necessary actions to comply with the case law of the Court of Justice of the European Union (CJEU), and in particular its Schrems II decision of 16 July 2020. The EDPB will pay special attention to how this political agreement is translated into concrete legal proposals.
The EDPB looks forward to assessing carefully the improvements that the new framework may bring in light of EU law, CJEU case law and previous recommendations of the Board, once the EDPB receives all supporting documents from the European Commission. In particular, the EDPB will analyse whether the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate. In addition, the EDPB will examine how the announced independent redress mechanism respects EEA individuals’ right to an effective remedy and to a fair trial. More specifically, the EDPB will look into whether any new authority part of this mechanism has access to relevant information, including personal data, when exercising its mission and whether it can adopt decisions binding on the intelligence services. The EDPB will also consider whether there is a judicial remedy against this authority’s decisions or inaction.
The EDPB reiterates that it remains committed to playing a constructive role in securing transatlantic transfers of personal data that benefit EEA individuals and organisations.
Next, the EDPB adopted a letter expressing concerns about the recent legislative developments in Belgium aimed at reforming the law establishing the Belgian Supervisory Authority (BE SA),as it may negatively impact the stability and the independent functioning of the Belgian authority.
The EDPB stresses that independent supervision, which it fears is impacted by the proposed reforms, is essential to the fundamental right to data protection and for this reason is protected by the Charter and the EU Treaty. It is also the cornerstone of effective enforcement under the GDPR and effective cooperation among SAs. Furthermore, the EDPB is concerned about the proposals’ alignment with the GDPR and strict CJEU case law. In particular, the EDPB pointed out as issues the interruption of the current mandate of the BE SA’s external members and the added grounds of dismissal of members. The EDPB also questions how the various proposals leading to increased parliamentary oversight may relate to the requirement for SAs to “remain free from external influence” in accordance with Art. 52(2) GDPR. In addition, the EDPB states that the legislative proposal to make the use of a shared service centre mandatory may conflict with the SA’s freedom to choose and have its own staff (Art. 52(5) GDPR), which may result in indirect external influence on the stability and functioning of the BE SA.
Finally, the EDPB agreed to request observer status within the Spring Conference of European Data Protection Authorities. The Spring Conference provides a platform for dialogue for data protection authorities all over Europe, including non-EEA countries. This request forms part of the EDPB Strategy 2021-2023 to strengthen engagement with the international community and to facilitate cooperation between EDPB members and the data protection authorities of third countries.
EDPB Deputy Chair Aleid Wolfsen said: “International cooperation is vital to upholding data protection rights in the EEA and beyond. This is another important step forward in reinforcing our engagement with the international community to promote EU data protection standards and to ensure effective protection of personal data beyond EU borders.”