On July 19, 2023, the European Data Protection Board (“EDPB”) issued an Information Note regarding data transfers to the U.S. following the adoption of an adequacy decision on the EU-U.S. Data Privacy Framework (the “Data Privacy Framework”) on July 10, 2023 (the “Information Note”).
In the Information Note, the EDPB confirms that from July 10, data transfers from the EU to organizations that are self-certified to the Data Privacy Framework and are included on the Data Privacy Framework List, which is maintained by the U.S. Department of Commerce, may proceed based on the adequacy decision. Companies making such transfers do not need to rely on one of the alternative transfer mechanisms set forth under Article 46 of the EU General Data Protection Regulation (“GDPR”), nor do they need to implement supplementary measures.
Importantly, the Information Note clarifies the impact of the adequacy decision for companies that are not certified to the Data Privacy Framework. According to the EDPB, organizations that rely on one of the alternative transfer mechanisms set forth under Article 46 of the GDPR to transfer data from the EU to the U.S. (such as Standard Contractual Clauses or Binding Corporate Rules) should take into account the assessment conducted by the European Commission in the context of the adequacy decision when drafting their transfer risk assessments. As a result of the Schrems II judgment, controllers relying on a transfer mechanism under Article 46 of the GDPR to transfer personal data outside the European Economic Area (“EEA”) must verify, on a case-by-case basis and in collaboration with the data importers, as appropriate, whether the law of the importer’s country ensures a level of protection for the personal data that is essentially equivalent to the EEA’s protections (i.e., conduct transfer risk assessments). If not, supplementary measures must be implemented to help ensure that the requisite level of protection is in place. The task of conducting and documenting transfer risk assessments may therefore be simplified for data exporters transferring personal data to the U.S.
The Information Note also clarifies the procedures for data subjects to submit complaints and make use of the new redress mechanism.