This year, we focused on the rapidly growing AI technologies and described how emerging trends could impact the rights and freedoms of individuals . In the report you will find critical overview of six trends. 

Interested to learn more about Europrivacy, official GDPR European Data Protection Seal? Meet us at the IAPP Europe Data Protection Congress in Brussels during 20-21 November. We will be delighted to meet you at the Europrivacy booth in the exhibition area. The Europrivacy criteria enable you to check compliance with the GDPR. They have been […]

The post Europrivacy at the IAPP Brussels appeared first on Europrivacy Community.

Have a listen to our new episode of the Newsletter Digest on Artificial Intelligence with the Secretary-General of the EDPS, Leonardo Cervera Navas. Now you can also watch the episode here.

Brussels, 05 November - During its latest plenary, the European Data Protection Board (EDPB) adopted a report on the first review1 of EU-U.S. Data Privacy Framework (DPF), as well as a statement on the recommendations of the high-level group (HLG)2 on access to data for effective law enforcement.

The EDPB welcomes the efforts by the U.S. authorities and the European Commission to implement the DPF, and takes note of several developments that took place since the adoption of the adequacy decision in July 2023.

Regarding commercial aspects, i.e. the application and enforcement of requirements applying to companies self-certified under this framework, the EDPB notes that the U.S Department of Commerce took all relevant steps to implement the certification process. This includes developing a new website, updating procedures, engaging with companies, and conducting awareness-raising activities.

In addition, the redress mechanism for EU individuals has been implemented and there is comprehensive complaint-handling guidance published on both sides of the Atlantic. However, the low number of complaints received so far under the DPF highlights the importance of having U.S. authorities initiate monitoring activities concerning compliance of DPF-certified companies with the substantive DPF Principles.

The EDPB encourages the development of guidance by U.S. authorities, clarifying the requirements that DPF-certified companies would need to comply with when they transfer personal data that they have received from EU exporters. Guidance by U.S. authorities on human resources data would also be welcome. The EDPB expresses its availability to provide feedback on these guidance documents.

Concerning the access by U.S. public  authorities  to  personal  data transferred from the EU to certified organisations, the EDPB focused; on the  effective  implementation  of  the  safeguards introduced by the Executive Order 14086 in the U.S. legal framework, such as the necessity and proportionality principles  and  the  new  redress  mechanism. The Board considers that the elements of the redress mechanism are in place; at the same time, it renews the call to the European Commission to monitor the practical functioning of the different safeguards, e.g. the implementation of the principles of necessity and proportionality. The EDPB also recommends that the Commission monitors future developments related to the U.S. Foreign Intelligence Surveillance Act, in particular given the extended reach of Section 702 after its re-authorisation by the U.S. Congress earlier this year.

EDPB Deputy Chair Zdravko Vukić said: “We are pleased that progress has been made since the adoption of the adequacy decision thanks to the fruitful cooperation between U.S. authorities, the EU Commission and the EDPB. At the same time, there is still space for improvement and we should continue working together to maintain a high level of data protection and safeguard the rights and freedoms of EU individuals.”

Finally, the Board recommends that the next review of the EU-U.S. adequacy decision should take place within three years or less.

 The statement on the recommendations of the HLG on access to data for effective law enforcement underlines that fundamental rights must be safeguarded when law enforcement agencies access the personal data of individuals. While the EDPB supports the aim of effective law enforcement, it points out that some of the HLG’s recommendations could cause serious intrusiveness vis-à-vis fundamental rights, in particular the respect for privacy and family life.

 While the EDPB positively notes the recommendation may lead to the establishment of a level-playing field on data retention, it considers that a broad and general obligation to retain data in electronic form by all service providers would create a significant interference with the rights of individuals. Therefore, the EDPB questions whether this would meet the requirements of necessity and proportionality of the Charter of Fundamental Rights of the EU and the CJEU jurisprudence. 

In its statement, the EDPB also emphasizes that the recommendations concerning encryption should not prevent its use or weaken the effectivity of the protection it provides. For example, the introduction of a client-side process allowing remote access to data before it is encrypted and sent on a communication channel, or after it is decrypted at the recipient, would in practice weaken encryption. Preserving the protection and effectivity of encryption is important to avoid that the respect for private life and confidentiality is negatively impacted and to ensure that the freedom of expression and economic growth, which depend on trustworthy technologies, are safeguarded. 

Note to editors

1 In line with art. 3 of EU-U.S. adequacy decision, the EU Commission is required to review the adequacy decision one year after its adoption. The review meeting was held in Washington D.C. on 18-19 July 2024 and the EU Commission was accompanied by five representatives of the EDPB.

2 The HLG was launched by the European Commission in June 2023 and it is co-chaired by the EU Commission and the rotating Presidency of the Council. It was launched with the aim to explore challenges for law enforcement practitioners in connection to access to data and propose solutions and recommendations.

In June 2024, the  HLG  published  42  recommendations  for  the further development of EU policies and legislation, structured as “capacity  building  measures”,  “cooperation  with  industry  and standardisation” and “legislative measures”. The  recommendations  cover  in  particular  encryption, cooperation  with  the  industry  as  well  as  between  law  enforcement agencies, and the need for harmonised rules on data retention.
 

The EDPB is holding a stakeholder event on “AI models” with participants representing European sector associations, organisations, NGOs, individual companies, law firms and academics. 

During today’s event, the EDPB will collect input for of the preparation of a consistency opinion on AI models, requested by the Irish Data Protection Authority under Art. 64 (2) GDPR.

EDPB Chair Anu Talus said: “During the stakeholder event we will tackle a number of targeted questions, which will feed our reflection in the context of the preparation of our Opinion on AI models. Stakeholder input is especially valuable for these fast-moving technologies with an exceptional societal impact.”

The EDPB's opinion on “AI models” is due by the end of 2024.

On 28 January 2025 in Brussels, to mark Data Protection Day, European Data Protection Supervisor (EDPS) together with Council of Europe (CoE) and Computers, Privacy and Data Protection, organises a one-day hybrid event focused on exploring the current and future landscape of data protection. 

The full programme and registration are available at https://cpdp-dataprotectionday.eu/