Struggling to keep up with not only our β‘οΈfast-changing regulatory landscape - but "just" with the EU-US Trans-Atlantic Data Privacy Framework (DPF)? Bookmark this page and plan when to catch up, and dig through it all when you have time.
EU-US DPF draft adequacy decision approved by the EUC (13 Dec 22)
See updated links list below. π
The European Commission has launched the process towards adopting an adequacy decision for the EU-US Data Privacy Framework (DPF), after assessing the US legal framework.
The draft adequacy decision concludes that the DPF provides comparable safeguards to those of the EU and ensures an adequate level of protection for personal data transferred from the EU to US companies. The EUC has submitted the draft to the European Data Protection Board (EDPB) for their opinion, and it also has to go through the European Parliament resolution process.
β° A final decision is not expected before spring 2023 and the framework might not be final until late next year.
For now, here are some key elements highlighted by the EUC:
π Like with the former Privacy Shield, companies will be able to join the new framework by committing to comply with a detailed set of privacy obligations.
ποΈ There are "several redress avenues" planned for dealing with violations, including free of charge before independent dispute resolution mechanisms and an arbitration panel.
β A number of limitations and safeguards are put in place to ensure access to data by US public authorities is limited to what is necessary and proportionate to protect national security.
ποΈ There will also be a possibility to obtain redress related to US intelligence agencies' collection and use of personal data of EU people, which includes the creation of a Data Protection Review Court.
β But I wouldn't pop the bottle of sparkles just yet - the draft decision must still go through the formal adoption procedure, including the review by the EDPB, and Max Schrems & noyb are sceptical, to say the least...
πͺπΊ From the European Commission
- 13 Dec: The press release: Commission starts process to adopt adequacy decision for safe data flows with the US.
- 13 Dec: The actual Draft adequacy decision.
- 13 Dec: A Q&A on the Draft adequacy decision.
- 7 Oct: Their Q&A (web, also see handy PDF at the end of the page).
- 25 March: Factsheet β Transatlantic Data Privacy Framework.
πΊπΈ From the US
- 7 Oct: Statement on the Executive Order from the U.S. Secretary of Commerce.
- 7 Oct: Fact sheet from the White House: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework.
- 25 March: Fact sheet from the White House: United States and European Commission Announce Trans-Atlantic Data Privacy Framework.
π From NOYB & Max Schrems
- 13 Dec: Their reaction to the Draft adequacy decision: Statement on US Adequacy Decision by the European Commission
- 7 Oct: Their first reaction and summary: Executive Order on US Surveillance unlikely to satisfy EU law.
- 7 Oct: Direct download (PDF) to their structured (very helpful!) version of the Executive Order with bookmarks down to layer 3.