UPDATE — SEPTEMBER 2025: Since the European Data Protection Board (EDPB) adopted its first report on the EU-U.S. Data Privacy Framework (DPF) and its statement on the High-Level Group (HLG) recommendations in late 2024, the Board has advanced several enforcement and guidance priorities while continuing to monitor transatlantic data flows.
In early 2025, the EDPB launched its Coordinated Enforcement Framework (CEF) for the year, focusing on the right to erasure under GDPR. Thirty national data protection authorities are now jointly examining how organizations handle erasure requests, an effort expected to yield both insights and possible follow-up actions across Europe.
The Board also issued the Helsinki Statement (July 2025), pledging to make GDPR compliance more accessible, especially for SMEs. It promised more practical resources, harmonized guidance, and aligned interpretations to ease administrative burdens while maintaining strong privacy protections.
On international transfers, the EDPB finalized its guidelines on data transfers to third-country authorities (Art. 48 GDPR) in mid-2025. This guidance clarifies the conditions under which requests from non-EU governments may be honored, further complementing the DPF framework. The EDPB also welcomed EU Commission proposals simplifying GDPR record-keeping obligations for smaller companies, easing compliance without weakening individual rights.
Despite these developments, the EDPB’s original assessment of the DPF remains unchanged: progress is evident, but continued monitoring is essential. U.S. authorities are still urged to actively oversee DPF-certified companies and clarify rules around onward transfers, especially for human resources data.
Meanwhile, broader EU laws—the Data Act (effective Sept. 2025), Digital Operational Resilience Act (DORA), and NIS2 Directive—are reshaping the regulatory backdrop by tightening data sharing, cybersecurity, and ICT resilience rules.
ORIGINAL NEWS POST:
EDPB Publishes Key Insights on EU-U.S. Data Privacy Framework and Law Enforcement Data Access Recommendations
The European Data Protection Board (EDPB) recently announced two significant developments, adopting its first annual report on the EU-U.S. Data Privacy Framework (DPF) and issuing a statement on recommendations from the High-Level Group (HLG) regarding data access for law enforcement.
The EDPB’s report on the EU-U.S. Data Privacy Framework marks the first review since the framework’s adoption in July 2023. The review addresses both commercial aspects of the framework and how U.S. authorities access personal data transferred under it. The EDPB acknowledged efforts by the U.S. Department of Commerce to streamline the certification process for companies, including launching a dedicated website and increasing engagement with stakeholders. Additionally, it recognized the implementation of a multi-layered redress mechanism designed to support EU individuals’ data privacy rights. However, the EDPB noted a low number of complaints under the DPF and highlighted the need for U.S. authorities to proactively monitor DPF-certified companies’ compliance.
One area for potential improvement in the DPF, according to the EDPB, is the guidance available to DPF-certified companies on transferring data received from EU exporters to other third countries. The EDPB encourages the U.S. Department of Commerce to clarify these requirements, particularly regarding human resources data, which often lacks a consistent approach. The EDPB offered to support in developing such guidance, underlining its willingness to work with U.S. authorities on refining the framework.
Regarding law enforcement’s access to EU citizens’ data, the EDPB’s statement on the HLG recommendations addresses critical concerns about data retention and encryption. The HLG’s recommendations emphasize the need for a level playing field in data retention policies across the EU, but the EDPB raised questions about the necessity and proportionality of broad, general obligations for data retention by service providers. Specifically, it cautioned against any requirements that would obligate providers to retain data in ways that might interfere with individuals’ fundamental rights, particularly regarding privacy and family life.
The EDPB also highlighted concerns about encryption, stressing that the HLG’s suggestions should not weaken encryption protocols or undermine their effectiveness. For example, recommendations allowing remote access to data before encryption, or after decryption, risk compromising the confidentiality that encryption is intended to safeguard. Strong encryption, the EDPB emphasized, is vital for protecting private communications and supporting freedom of expression and economic growth. The EDPB urged the European Commission and the EU Member States to carefully evaluate the legal and technical implications of these recommendations, taking particular care to uphold data protection standards.
“The developments achieved since the DPF’s adoption are encouraging,” said Zdravko Vukić, Deputy Chair of the EDPB. “However, there is room for growth, and we must continue collaborating to ensure a high level of data protection for EU individuals.”
The EDPB recommends that the European Commission conduct its next review of the EU-U.S. adequacy decision within three years, or sooner if necessary, to keep pace with any significant legal or policy developments. With this timeline, the EDPB hopes to maintain rigorous oversight, fostering transparency and trust in international data flows and law enforcement data access.
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
