Review of EU-U.S. Data Transfer Pact Mentions Progress and Concerns

praised the U.S. for creating redress mechanisms for EU individuals and appointing judges and special advocates to handle complaints. However, it said, it has "identified ... a number of points for additional clarifications, for attention or for concern." These include that while the DPF certification process seems to be running smoothly, the board expects the Commerce Department to boost oversight and enforcement to ensure compliance by certified organizations with all DPF principles. The need for proactive oversight is particularly clear in light of the very low number of complaints received in the DPF's first year, it said. The review also urged Commerce to provide practical guidance on accountability for the onward transfer principle, saying it's concerned some certified companies are unaware of the requirements for lawful transfers of personal data they receive from EU exporters to third countries that the European Commission, under the general data protection regulation (GDPR), doesn't consider adequate. Regarding government access to data, the EDPB said it would welcome more discussion on how U.S. agencies are interpreting and applying GDPR principles of necessity and proportionality of data collection. The board "regrets" that the "Reform Intelligence and Securing America Act," which extends Section 702 of the Foreign Intelligence Surveillance Act, didn't incorporate a recommendation by the Privacy and Civil Liberties Oversight Board to codify some aspects of Executive Order 14086, which would add more safeguards. The board also suggested that the EC carry out its next review of the DPF in three years rather than four to monitor EDPB concerns more closely.