On 10 July 2023, European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF). The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework.
US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.
The European Data Protection Board released an informative note about the adequacy decision to the U.S.
Takeaways:
- Personal data can flow safely from the EU to US companies 𝐢𝐧𝐜𝐥𝐮𝐝𝐞𝐝 𝐢𝐧 𝐭𝐡𝐞 𝐃𝐏𝐅 𝐋𝐢𝐬𝐭, without having to put in place additional data protection safeguards
- Transfers to entities in the US which are 𝐧𝐨𝐭 𝐢𝐧𝐜𝐥𝐮𝐝𝐞𝐝 𝐢𝐧 𝐭𝐡𝐞 𝐃𝐏𝐅 𝐋𝐢𝐬𝐭 cannot be based on the Adequacy Decision and 𝐰𝐢𝐥𝐥 𝐫𝐞𝐪𝐮𝐢𝐫𝐞 𝐚𝐩𝐩𝐫𝐨𝐩𝐫𝐢𝐚𝐭𝐞 𝐝𝐚𝐭𝐚 𝐩𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐬𝐚𝐟𝐞𝐠𝐮𝐚𝐫𝐝𝐬. When conducting the assessment exporters can consider the assessment made by the European Commission in the Adequacy Decision
- Individuals are encouraged to first raise 𝐚𝐧𝐲 𝐜𝐨𝐦𝐩𝐥𝐚𝐢𝐧𝐭 𝐭𝐡𝐞𝐲 𝐦𝐚𝐲 𝐡𝐚𝐯𝐞 𝐰𝐢𝐭𝐡 𝐭𝐡𝐞 𝐫𝐞𝐥𝐞𝐯𝐚𝐧𝐭 𝐔𝐒 𝐨𝐫𝐠𝐚𝐧𝐢𝐬𝐚𝐭𝐢𝐨𝐧. If necessary, seek advice from the EU Data protection authorities
- Data subjects in the EU 𝐜𝐚𝐧 𝐬𝐮𝐛𝐦𝐢𝐭 𝐚 𝐜𝐨𝐦𝐩𝐥𝐚𝐢𝐧𝐭 𝐭𝐨 𝐭𝐡𝐞𝐢𝐫 𝐧𝐚𝐭𝐢𝐨𝐧𝐚𝐥 𝐃𝐚𝐭𝐚 𝐩𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐚𝐮𝐭𝐡𝐨𝐫𝐢𝐭𝐲 to make use of the new redress mechanism in the area of national security
If you need a consultation regarding the application of the EU-U.S. Data Privacy Framework, do not hesitate to contact us.
Prepared by Associate Partner, Certified Data Protection Expert (CIPP/E) Brigida Bacienė