European Data Protection Board Issues Information Note on Data Transfers under the Data Privacy Framework

9 months ago AndyC

Listen to this post

On July 19, 2023, the European Data Protection Board (“EDPB”) issued an Information Note regarding data transfers to

European Data Protection Board Issues Information Note on Data Transfers under the Data Privacy Framework
Listen to this post

On July 19, 2023, the European Data Protection Board (“EDPB”) issued an Information Note regarding data transfers to the U.S. following the adoption of an adequacy decision on the EU-U.S. Data Privacy Framework (the “Data Privacy Framework”) on July 10, 2023 (the “Information Note”).

In the Information Note, the EDPB confirms that from July 10, data transfers from the EU to organizations that are self-certified to the Data Privacy Framework and are included on the Data Privacy Framework List, which is maintained by the U.S. Department of Commerce, may proceed based on the adequacy decision. Companies making such transfers do not need to rely on one of the alternative transfer mechanisms set forth under Article 46 of the EU General Data Protection Regulation (“GDPR”), nor do they need to implement supplementary measures.

Importantly, the Information Note clarifies the impact of the adequacy decision for companies that are not certified to the Data Privacy Framework. According to the EDPB, organizations that rely on one of the alternative transfer mechanisms set forth under Article 46 of the GDPR to transfer data from the EU to the U.S. (such as Standard Contractual Clauses or Binding Corporate Rules) should take into account the assessment conducted by the European Commission in the context of the adequacy decision when drafting their transfer risk assessments. As a result of the Schrems II judgment, controllers relying on a transfer mechanism under Article 46 of the GDPR to transfer personal data outside the European Economic Area (“EEA”) must verify, on a case-by-case basis and in collaboration with the data importers, as appropriate, whether the law of the importer’s country ensures a level of protection for the personal data that is essentially equivalent to the EEA’s protections (i.e., conduct transfer risk assessments). If not, supplementary measures must be implemented to help ensure that the requisite level of protection is in place. The task of conducting and documenting transfer risk assessments may therefore be simplified for data exporters transferring personal data to the U.S.

The Information Note also clarifies the procedures for data subjects to submit complaints and make use of the new redress mechanism.

Read the EDPB’s Information Note.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , ,

More Stories

CIPL Publishes Report on Enabling Beneficial and Safe Uses of Biometric Technology Through Risk-Based Regulations

CIPL Publishes Report on Enabling Beneficial and Safe Uses of Biometric Technology Through Risk-Based Regulations

3 days ago AndyC
CIPL Publishes White Paper on Leveraging Data Responsibly and a Holistic Data Strategy

CIPL Publishes White Paper on Leveraging Data Responsibly and a Holistic Data Strategy

4 days ago AndyC
New Bipartisan Federal Privacy Proposal Unveiled: American Privacy Rights Act

New Bipartisan Federal Privacy Proposal Unveiled: American Privacy Rights Act

5 days ago AndyC
EDPB Issues Opinion on Pay-Or-Consent Models

EDPB Issues Opinion on Pay-Or-Consent Models

6 days ago AndyC
UK ICO Launches Latest Installment in the AI Consultation Series

UK ICO Launches Latest Installment in the AI Consultation Series

2 weeks ago AndyC
Connecticut Attorney General Issues Report on Privacy Law Enforcement Priorities

Connecticut Attorney General Issues Report on Privacy Law Enforcement Priorities

3 weeks ago AndyC

You may have missed

Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION

3 hours ago AndyC
Targeted operation against Ukraine exploited 7-year-old MS Office bug

Targeted operation against Ukraine exploited 7-year-old MS Office bug

3 hours ago AndyC
Weekly Update 397

Weekly Update 397

3 hours ago AndyC
What Would a TikTok Ban Mean?

What Would a TikTok Ban Mean?

3 hours ago AndyC
Hackers may have accessed thousands of accounts on California state welfare platform

Hackers may have accessed thousands of accounts on California state welfare platform

21 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.