As previously reported, on 10th July 2023, the European Commission adopted the Adequacy Decision, which ensures an adequate level of protection for personal data transferred from the EU to organisations in the US. The Decision is based on the EU-US Data Privacy Framework (DPF) and eliminates the need for Article 46 GDPR transfer tools. The European Data Protection Board (EDPB) recently adopted an informative note, providing crucial insights into the impact of the DPF on data subjects in the EU and organisations transferring data from the EU to the US.

The information note sheds light on the Decision's profound effect on personal data transfers from the EU to the US. The note, adopted at the EDPB's plenary session on 18 July 2023, has outlined some essential points that all parties involved should be aware of:

Transferring Data to the US under the DPF

Starting from 10 July 2023, EU-US data transfers to importers named in the Data Privacy Framework List (DPF list) can rely on the adequacy decision without the need for Article 46 GDPR data transfer safeguards or supplementary measures. This means smoother and more streamlined data transfers without extra hurdles. If data importers in the US are not included in the DPF list, appropriate data protection safeguards, enforceable rights, and legal remedies are required under Article 46 GDPR, accompanied by supplementary measures to ensure proper data protection.

Redress Mechanisms for EU Data Subjects

There are now new redress mechanisms available to EU data subjects if they believe that a US organisation is not complying with the DPF. Individuals are encouraged to first raise complaints with the relevant US organisation and how EU organisations can seek advice from their data protection authorities. EU data subjects have access to the DPF redress mechanism enabling them to submit complaints to their supervisory authority regardless of the transfer safeguard employed for data transfers to the US. This mechanism includes independent dispute resolution, an arbitration panel, and a Data Protection Review Court for impartial investigation and resolution of complaints.

Utilising the New Redress Mechanism for National Security Concerns

Data subjects in the EU can submit complaints to their national data protection authority concerning the new redress mechanism in the interest of national security, irrespective of the transfer tool used. Regardless of the GDPR transfer safeguard used, all safeguards established by the US government for national security purposes, including the redress mechanism, apply to data transferred from the EU to the US. This ensures a level playing field for data protection, irrespective of the chosen transfer tool.

The EDPB's reception of the DPF has been positive, acknowledging it as a significant decision facilitating EU-US transfers without additional safeguarding conditions. The board will continue to closely monitor the implementation of the DPF and actively contribute to its first review scheduled for the following year.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.