Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

IAPP’s view on draft adequacy decision for the EU-US Data Privacy Framework

December 2022 by Caitlin Fennessy, VP and Chief Knowledge Officer, International Association of Privacy Professionals’ (IAPP)

In light of the published draft adequacy decision on data flows between the EU and US, International Association of Privacy Professionals’ (IAPP) VP and Chief Knowledge Officer Caitlin Fennessy shared this comment.

Publication of the European Commission’s draft adequacy determination for the EU-US Data Privacy Framework on December 12 launches the EU’s formal adequacy review process, which will now bring in views of the European Data Protection Board, potentially the Parliament, and Member States. As expected, the draft outlines the Commission’s reasoning in finding the framework adequate, with a focus on the new necessity and proportionality requirements for US signals intelligence and the Data Protection Review Court outlined in the recent Executive Order and Department of Justice regulations. Data transfer issues topped privacy professionals list of strategic priorities in this year’s IAPP-EY Privacy Governance report yet again, suggesting many will follow the adequacy process much like a World Cup match in the months ahead.

A few noteworthy elements:
1. The Commission’s draft makes clear that although the new legal requirements are now in force, they must be translated into U.S. intelligence policies before the adequacy determination will be finalized.
2. The draft outlines the commercial requirements under the new framework, which had not previously been made public. While the EU Court of Justice did not critique the Privacy Shield’s commercial requirements, the European Commission and Department of Commerce took the opportunity to align the text of the framework with the GDPR, which was not yet in force when the Privacy Shield was finalized. This resulted in a few substantive changes, including an update to the definition of personal data and coverage of key-coded data.
3. The draft references U.S. statutory bodies that could be listed in a future annex to the Principles, likely alluding to interest in bringing on board financial regulators and State Attorneys’ General as enforcers, which could enable financial institutions and non-profits to participate in the framework down the line.
4. The Commission’s draft states that the exemption of public journalistic material from the framework’s principles, which did not change from the Privacy Shield, means that such information can not be transferred on the basis of the framework. The potential impacts of this clarification are worth considering.
5. The Department of Commerce’s administrative commitments were also updated, which will impact what is required of self-certifying companies. These updates largely reflect iterative strengthening of the Privacy Shield program resulting from the first three annual reviews. Companies planning to self-certify should take careful note of the expanded information that will be verified during the certification process as well as the timing in which they must update privacy policies to reflect the framework’s new name. The Department of Commerce is expected to publish further guidance in these areas soon.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts