In Brief
The European Data Protection Board (EDPB) has issued its opinion on the EU-US Data Privacy Framework (DPF) and has reservations, including about exemptions to data subjects’ right of access, an absence of clear definitions, lack of rules on automated decision making, and lack of clarity on onward transfers, so it will now need more scrutiny by EU institutions. As a result, businesses that transfer personal data between the EU and US should continue relying on the other data transfer mechanisms available under the GDPR, such as Binding Corporate Rules and Standard Contractual Clauses.