EU-US Data Sharing: What the Latest EDPS Opinion Means for Data Protection Officers
On September 17, 2025, the European Data Protection Supervisor (EDPS) issued a significant Opinion regarding the European Commission’s proposed framework for sharing personal data between EU Member States and the United States. This development is particularly relevant in the context of border security and the U.S. Visa Waiver Program. The EDPS emphasized that while border security is crucial, any sharing of personal data with the U.S. must be accompanied by comprehensive and effective safeguards to protect the fundamental rights to data protection and privacy, regardless of nationality or residence.
Summary of the EDPS Opinion
The EDPS Opinion comes at a time when negotiations are underway for a new framework agreement that would enable EU Member States to sign bilateral data-sharing agreements with the U.S. The Opinion highlights the need for stringent safeguards to ensure that personal data is protected adequately when transferred across borders. The EDPS stresses that these safeguards should be comparable to those in place for law enforcement data exchanges, ensuring that privacy risks are mitigated effectively.
Risks and Safeguards
The EDPS has raised concerns about the seriousness of privacy risks associated with cross-border data transfers. The Opinion underscores the necessity for robust safeguards that are on par with those used in law enforcement data exchanges. This includes ensuring that data protection measures are not only comprehensive but also effective in safeguarding individuals’ privacy rights.
Implications for Data Protection Officers (DPOs)
For Data Protection Officers, the EDPS Opinion signifies a need to closely review and possibly revise data transfer mechanisms. DPOs must update risk assessments and ensure compliance with the evolving regulatory requirements. This involves staying informed about the latest developments and understanding the implications of the EDPS Opinion on their organization’s data protection strategies.
Practical Steps for Organizations
Organizations should take proactive steps to prepare for potential changes in data sharing regulations. This includes revisiting existing data sharing agreements to ensure they align with the new framework and conducting thorough Data Protection Impact Assessments (DPIAs). Additionally, organizations should monitor regulatory updates to remain compliant and adjust their data protection practices accordingly.