As previously reported, on 10th July 2023, the European Commission adopted the Adequacy Decision, which ensures an adequate level of protection for personal data transferred from the EU to organisations in the US. The Decision is based on the EU-US Data Privacy Framework (DPF) and eliminates the need for Article 46 GDPR transfer tools. The European Data Protection Board (EDPB) recently adopted an informative note, providing crucial insights into the impact of the DPF on data subjects in the EU and organisations transferring data from the EU to the US.
The information note sheds light on the Decision’s profound effect on personal data transfers from the EU to the US. The note, adopted at the EDPB’s plenary session on 18 July 2023, has outlined some essential points that all parties involved should be aware of:
Transferring Data to the US under the DPF
Starting from 10 July 2023, EU-US data transfers to importers named in the Data Privacy Framework List (DPF list) can rely on the adequacy decision without the need for Article 46 GDPR data transfer safeguards or supplementary measures. This means smoother and more streamlined data transfers without extra hurdles. If data importers in the US are not included in the DPF list, appropriate data protection safeguards, enforceable rights, and legal remedies are required under Article 46 GDPR, accompanied by supplementary measures to ensure proper data protection.
Redress Mechanisms for EU Data Subjects
There are now new redress mechanisms available to EU data subjects if they believe that a US organisation is not complying with the DPF. Individuals are encouraged to first raise complaints with the relevant US organisation and how EU organisations can seek advice from their data protection authorities. EU data subjects have access to the DPF redress mechanism enabling them to submit complaints to their supervisory authority regardless of the transfer safeguard employed for data transfers to the US. This mechanism includes independent dispute resolution, an arbitration panel, and a Data Protection Review Court for impartial investigation and resolution of complaints.
Utilising the New Redress Mechanism for National Security Concerns
Data subjects in the EU can submit complaints to their national data protection authority concerning the new redress mechanism in the interest of national security, irrespective of the transfer tool used. Regardless of the GDPR transfer safeguard used, all safeguards established by the US government for national security purposes, including the redress mechanism, apply to data transferred from the EU to the US. This ensures a level playing field for data protection, irrespective of the chosen transfer tool.
The EDPB’s reception of the DPF has been positive, acknowledging it as a significant decision facilitating EU-US transfers without additional safeguarding conditions. The board will continue to closely monitor the implementation of the DPF and actively contribute to its first review scheduled for the following year.
Please contact Jose Saras and Xavier Prida if you have any questions or concerns regarding the GDPR Adequacy Decision and its impact on your organisation’s data transfers.
The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.
This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.