The European Data Protection Board (EDPB) has issued a long-awaited opinion on the EU-US Data Privacy Framework.
Here are some key takeaways:
The Commercial Part: The scope of the exemptions to the adherence to the principles, including on the applicable safeguards under U.S. law, must be clarified. In addition, the Commission should be informed of and monitor the application and adoption of any statute or government regulation that would affect adherence to the DPF Principles. The DPF Principles are identical to the Privacy Shield Principles and all issues stated by the WP29 in its 2016 opinion continue to apply, as do all of the comments made in the past joint reviews.
The principles need to clarify which of the DPF Principles are applicable to DPF Organizations that are “processors” or “agents,” and which are applicable to “controllers.” The exceptions to the right of access should be assessed, specifically with respect to publicly available information. The right to object to processing should be added, and it should not only be part of the privacy notice but rather presented in a way that makes exercising it feasible. Address further processing of HR data. Further processing of HR data for nonemployment-related purposes will in most cases be considered incompatible with the original purpose, and that consent will rarely be entirely free when given in an employment context.
Onward Transfers Must Be Addressed Better:
Intra group transfers should not be carved out of the requirements. Organizations bound by the