Opinion

EDPB adopts EU-U.S. DPF report, issues Biometrics Guidelines mandate and other updates

Published Date
Nov 14 2024

On November 5, 2024, the European Data Protection Board (EDPB) issued its first report under the EU-U.S. Data Privacy Framework (DPF) and released a statement on the access to data for law enforcement. Both documents were adopted during the plenary session on November 4, 2024 (the Plenary Session). You can read about the background of the EU-U.S. DPF in our note here.

Report on the EU-U.S. DPF

The report notes that U.S. authorities have successfully implemented the self-certification process for U.S. companies under the DPF. The process has been taken forward in various ways – by developing a new website, engaging with companies and expanding outreach activities to increase awareness and improve trust amongst companies to certify under the DPF. A redress mechanism for EU individuals has also been updated, which allows EU individuals to issue complaints more easily (though very few complaints have been submitted thus far). The EDPB also identified several areas for improvement and made the following recommendations:

  • The U.S. Department of Commerce (DoC), the Federal Trade Commission, and the Department of Transportation (DoT) should enhance ex officio oversight and structural enforcement actions to ensure substantial compliance of certified organisations with all DPF principles;
  • U.S. authorities should implement proactive checks on certified organisations to review their compliance with the DPF principles (rather than relying on complaints from individuals);
  • The DoC should issue practical guidance on the accountability for onward transfers principle, so that the requirements for DPF-certified companies who receive personal data from EU exporters and then export the data to third countries have greater clarity; 
  • The DoC should verify whether organisations that have withdrawn or let their certification lapse have returned, deleted or retained personal data received under the DPF (and then provide this information on the DPF website). If an organisation retains the data after letting its certification lapse, it must continue to comply with the principles under the DPF;
  • The European Commission should monitor how the principles of necessity and proportionality are interpreted and applied by U.S. intelligence agencies in practice, as introduced by Executive Order 14086;
  • The EDPB raised concerns about the acquisition of personal data by U.S. intelligence agencies from data brokers and other commercial entities, recommending further monitoring by the European Commission; and
  • The next periodic review of the DPF should be carried out within three years (rather than the permitted maximum of four years) to allow for more timely monitoring of the practical application of the DPF.

Other topics covered by the EDPB plenary session

The Plenary Session addressed several important topics, including discussions on:

  • The Statement on the Recommendations of the High-Level Group (HLG) on Access to Data for Effective Law Enforcement – the EDPB highlighted the risks arising from the serious intrusion on fundamental rights in the HLG Recommendations, questioned the necessity and proportionality of broad data retention obligations for all service providers and reiterated concerns about any obligations that would require providers to weaken encryption for the interception of or access to encrypted communications (available here);
  • T request for a mandate to produce Guidelines on the use of biometrics for physical access control;
  • Audited descriptions of consumer profiling techniques provided to the EDPB pursuant to Article 15 Digital Markets Act; and
  • A response to a letter from the European AI Office regarding the EDPB’s statement on the role of the data protection authorities in the AI Act framework.

The press release on the EU-U.S. DPF is available here and the report here. The plenary agenda is available here.

Related capabilities