Privacy Shield Framework

Exciting news! The European Commission has made an adequacy decision for the EU-U.S. Data Privacy Framework, which will have an impact on the current scenario of GDPR. The decision states that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies participating in the EU-U.S. Data Privacy Framework. With this decision, personal data can flow freely and safely from the European Economic Area (EEA) to the US without additional conditions or authorizations. This means transfers to the US can be handled similarly to intra-EU data transmissions. US companies can participate in the framework by committing to privacy obligations, including principles like data minimization and purpose limitation, as well as obligations on data security and data sharing with third parties. The US Department of Commerce will administer the framework, processing applications for certification and monitoring compliance. Non-compliance will be enforced by the US Federal Trade Commission. Regarding access to data by US intelligence agencies, the adequacy decision takes into account the Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities.' This order includes binding safeguards to limit access to data for national security purposes, enhanced oversight of intelligence services, and the establishment of an independent redress mechanism through the Data Protection Review

Adequate ✅ The EU General Court has just dismissed the challenge to the EU-US Data Privacy Framework in Latombe v Commission. This means the adequacy decision from July 2023 stands firm! What this means for us: ✅ Legal certainty for transatlantic data transfers continues ✅ No immediate disruption to US-EU data flows ✅ The framework that replaced Privacy Shield remains valid ✅ Organizations can keep relying on the adequacy decision without scrambling for alternatives Key validation points: • The Data Protection Review Court (DPRC) was found to be sufficiently independent • Bulk data collection safeguards meet EU equivalency standards • The Commission’s continuous monitoring framework provides adequate oversight After the chaos of Schrems I & II that invalidated Safe Harbor and Privacy Shield, this ruling provides the stability the industry desperately needed. Of course, an appeal to the Court of Justice is still possible, but for now we can breathe easier knowing our transatlantic compliance frameworks remain intact.

The question on everyone's mind this week: ❓Should we sign on to the new EU-U.S. Privacy Framework❓ The answer is the same as usual: "It depends!" ➡ If you are already registered to Privacy Shield, YES. You will be automatically moved over to the new program and will not need to complete a new certification (in fact, it is more work not to sign up). Privacy Policy updates will be required before October 2023. ➡ If you are not already registered to Privacy Shield, there are reasons to consider the new Framework, but it's far from fail-safe. Considerations: • SCCs are not a reliable mechanism after the Meta decision. The Framework gives an additional layer of support for cross-border transfers. Continue to engage SCCs and TIAs regardless of whether you sign on to the Framework. Belt and suspenders approach. • Companies that provide communication services (defined broadly, including features like email, chat, and DMs) are square in the middle of the central issue behind all the chaos in this space, and should seek out every available transfer mechanism. • Just assume the Framework is temporary. Max Schrems already has his lawsuit drafted, it's just a matter of how long the litigation takes and what happens in between (see next point). • Section 702 is up for renewal at the end of this year, and there has been significant debate on whether to renew it as is or make changes to the requirements for government surveillance (such as requiring a warrant). If changes to Section 702 are made, a challenge to the Framework might not succeed. More info and background on all of these points in some of my previous posts, linked below. If you need additional guidance, get in touch! #privacy #dataprivacy #gdpr #dpf

🇪🇺🇺🇸EU-US data transfers are safe for now! ‼️The long-awaited judgment of the General Court in Latombe v Commission (Case T-553/23) has confirmed the validity of the European Commission’s adequacy decision of 10 July 2023, which created the new EU-US Data Privacy Framework. This ruling provides a much-needed moment of stability after the turbulence of Schrems I and Schrems II, when the Court of Justice struck down the two previous transatlantic frameworks. The case was brought by French MEP Philippe Latombe, who argued that the new framework failed to resolve fundamental issues. He claimed that the newly created Data Protection Review Court (DPRC) is neither impartial nor independent, and that U.S. intelligence agencies still conduct bulk surveillance without sufficient safeguards or prior authorisation. The General Court rejected these arguments. It found that the DPRC enjoys sufficient guarantees of independence, since judges are appointed under clear rules, cannot be dismissed arbitrarily, and are protected from interference by the Attorney General or intelligence agencies. The Court also underlined that EU law does not require prior authorisation for bulk data collection. What matters is whether there is meaningful oversight. In this respect, the Court noted that U.S. signals intelligence activities are subject to ex post judicial review by the DPRC, which meets the standard required by EU law. Another important element is the Commission’s continuing obligation to monitor developments in U.S. law. If future changes weaken the safeguards underpinning the adequacy decision, the Commission has the power to suspend, amend, or repeal the decision. This ongoing oversight was seen as a crucial safeguard to ensure that the level of protection remains “essentially equivalent” to that guaranteed within the EU. 💡The case may be appealed to the Court of Justice, and further challenges by privacy activists are already in preparation.For now, however, the General Court’s ruling confirms that the EU-US Data Privacy Framework stands on firm legal ground. This provides welcome breathing space for companies engaged in transatlantic data flows, while reminding us that the balance between privacy rights and national security will continue to be tested in Luxembourg and beyond. #gdpr #rodo