EDPB informs stakeholders about the implications of the Data Privacy Framework

July 26, 2023

Transferring data to the US

During its latest EDPB plenary, the European Data Protection Board adopted an information note for individuals and entities transferring data to the US. This note aims to provide concise and objective information regarding the impact of the adequacy decision on transfers to the US, the redress mechanisms available under the Data Privacy Framework (DPF), and the new redress mechanism concerning the area of national security.

The information note clarifies that transfers based on adequacy decisions do not need to be complemented by supplementary measures. Transfers to the US which are not included in the “Data Privacy Framework List” require appropriate safeguards, such as standard data protection clauses or binding corporate rules. The EDPB emphasises that all the safeguards that have been put in place by the US government regarding national security (including the redress mechanism) apply to all data transferred to the US, regardless of the transfer tool used.

Furthermore, the information note specifies that in respect of national security, EU individuals can submit a complaint to their national data protection authority to make use of the new redress mechanism regardless of the transfer tool used to transfer personal data to the US.

Review of the Japan Adequacy Decision

In addition, the EDPB adopted a Statement on the first review of the Japan Adequacy Decision. The statement focuses mainly on the assessment of the commercial aspects of the Japanese adequacy decision, as the Japanese legal framework has seen some changes in this area since the issuing of the adequacy decision, which lead to further convergence with the GDPR. These include the extension of the right to object to a processing, the strengthening of the duty to notify data breaches to the Japanese data protection authority and to individuals, and the broadening of the scope of the Japan Act on the Protection of Personal Information so that it no longer excludes personal data that are “set to be deleted” within six months.

At the same time, the EDOB considers that there are some areas that require closer monitoring by the European Commission, especially concerning the new category of “pseudonymised” personal information in Japanese law and the use of consent in situations of imbalance of power. The EDPB therefore welcomes the European Commission’s commitment to closely monitor these issues.

Overall, the EDPB agrees with the European Commission’s assessment of the review and welcomes the Commission’s proposal to move to a review cycle of four years.