EU adequacy decision on data transfers to the USA: EDPB sees need for further regulation

In its comments, the European Data Protection Board generally welcomes the innovations in the EU Commission’s adequacy decision with regard to the level of protection of personal data in the United States. However, the EDPB sees a need for further regulation to ensure equivalent protection of EU citizens’ data.

European Data Protection Board’s (EDPB) comments

The EDPB considers the essential amendments, such as the introduction of necessity and proportionality requirements for the collection of data by US intelligence and the creation of new legal remedies for EU data subjects, to be positive.

However, the EDPB expressly states that some of the criticisms raised by the European Court of Justice have still remained unconsidered in the “Schrems-II” decision. This includes in particular the structuring of the data subjects’ right of objection, the lack of definitions and the overly broad exceptions for publicly available information.

The EDPB also expresses concerns about the lack of authorization by an independent authority for the collection of mass data under Executive Order 12333. Finally, the European Data Protection Board expressly points out that the level of protection for individuals whose data are transferred must not be undermined by onward transfers from the original recipient.

The German Conference of Independent Data Protection Authorities (“DSK”) expressly endorses the EDSA’s comments and emphasizes that a comprehensive protection of fundamental rights requires the creation of a level of data protection equivalent to that in the EU.

It remains to be seen whether the outstanding issues identified by the EDPB will be taken into account in the draft adequacy decision, as the European Commission is not bound by the EDPB’s opinion.