The Commission mainly addressed the concerns on U.S. intelligence surveillance raised in the Schrems II judgment. However, President Biden’s administration flagships to persuade the Commission have aroused skepticism. On the one hand, U.S. intelligence bodies are now bound to the principles of proportionality and necessity. These principles are familiar to the EU, but their interpretation may differ within the U.S. legal system. On the other hand, the U.S. established the Data Protection Review Court to resolve complaints filed by EU individuals and rule remedies regarding access to personal data by U.S. national security authorities. However, the Data Protection Review Court may deem its decisions classified and not subject to public scrutiny.
Given the doubts raised, the adequacy decision is expected to be challenged in the future, making it less likely a permanent solution for transatlantic personal data transfers. The Commission ensured a periodic review of the decision, with the next one being in July 2024.
In the U.S., the DPF program is administered by the International Trade Administration (‘ITA’) within the Department of Commerce and enables eligible U.S. companies to self-certify their compliance under the DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF.
U.S. companies interested in the program must self-certify to the ITA via the DPF website, publicly commit to comply with the DPF Principles and re-certify themselves annually. Although participation in the DPF program is voluntary, effective compliance is enforceable under U.S. law once companies commit to adhere to DPF Principles.
The public may access the ITA “Data Privacy Framework List”, wherein listed organizations make their data collection purpose available, privacy policies, dispute resolution methods –such as the privacy officer contact details and recourse mechanism–and other relevant information.
U.S. organizations deciding whether to participate or not in the program are analyzing if doing so will be commercially beneficial considering the EU personal data contained in their data flows. Also, companies are assessing whether they can implement continuous compliance methods, which include setting an effective complaint-handling process and paying a fee for the Binding Arbitration Mechanism.
Notably, U.S. organizations already registered under the EU-US Privacy Shield –for instance, Google, Amazon, and Cloudflare– were automatically transferred to the DPF program and are now listed in the “Data Privacy Framework List”. These companies are required to take action to comply with the DPF Principles by October 10, 2023. Otherwise, they might be listed as inactive. Measures to be taken include submitting new documents and statements to the authorities and adjusting their privacy policies.
In addition, companies are analyzing other solutions to the DPF program, such as the Standard Contractual Clauses (‘SCC’) and the Binding Corporate Rules (‘BCR’). As a result, the market has mixed reactions regarding implementing the DPF: (i) some companies are willing to favor the DPF over bespoke contracts, which take a long time to negotiate; (ii) other companies consider that even implementing DPF, the business partners may require additional contracts; thus DPF certification entails an unnecessary regulatory risk; (iii) other companies consider that they are willing to implement the DPF while keeping their existing contracts with their business partners.
EU companies may navigate through these new waters considering the following issues:
]]>
Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the application of the GDPR. They provide expert advice on data protection issues and handle complaints lodged against violations of the General Data Protection Regulation and the relevant national laws. There is one in each EU Member State.
Generally speaking, the main contact point for questions on data protection is the DPA in the EU Member State where your company/organisation is based. However, if your company/organisation processes data in different EU Member States or is part of a group of companies established in the different EU Member States, that main contact point may be a DPA in another EU Member State.
Rue Wiertz 60
1047 Bruxelles/Brussel
Office: Rue Montoyer 30, 6th floor
Tel. +32 2 283 19 00
Fax +32 2 283 19 50
email: edps@edps.europa.eu
Website: http://www.edps.europa.eu/EDPSWEB/
Member: Mr Wojciech Wiewiórowski, European Data Protection Supervisor
Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Wien
Tel. +43 1 52152 2550
email: dsb@dsb.gv.at
Website: http://www.dsb.gv.at/
Member: Dr Andrea JELINEK, Director
Autorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA)
Rue de la Presse 35 – Drukpersstraat 35
1000 Bruxelles – Brussel
Tel. +32 2 274 48 00
Fax +32 2 274 48 35
email: contact@apd-gba.be
Website: https://www.autoriteprotectiondonnees.be/ – https://www.gegevensbeschermingsautoriteit.be/
Member: Mr David Stevens, President
Commission for Personal Data Protection
2, Prof. Tsvetan Lazarov blvd.
Sofia 1592
Tel. + 359 2 915 3580
Fax +359 2 915 3525
email: kzld@cpdp.bg
Website: https://www.cpdp.bg/
Member: Mr Ventsislav KARADJOV, Chairman of the Commission for Personal Data Protection
Croatian Personal Data Protection Agency
Selska Cesta 136
10000 Zagreb
Tel. +385 1 4609 000
Fax +385 1 4609 099
email: azop@azop.hr
Website: http://www.azop.hr/
Member: Mr Zdravko Vukić, Director
Commissioner for Personal Data Protection
1 Iasonos Street,
1082 Nicosia
P.O. Box 23378, CY-1682 Nicosia
Tel. +357 22 818 456
Fax +357 22 304 565
email: commissioner@dataprotection.gov.cy
Website: http://www.dataprotection.gov.cy/
Member: Ms Irene LOIZIDOU NIKOLAIDOU, Commissioner for Personal Data Protection
Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
Tel. +420 234 665 111
Fax +420 234 665 444
email: posta@uoou.cz
Website: http://www.uoou.cz/
Member: Ms Ivana JANŮ, President
Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
Tel. +45 33 1932 00
Fax +45 33 19 32 18
email: dt@datatilsynet.dk
Website: http://www.datatilsynet.dk/
Member: Ms Cristina Angela GULISANO, Director
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tatari 39
10134 Tallinn
Tel. +372 6828 712
email: info@aki.ee
Website: http://www.aki.ee/
Member: Ms Pille Lehis, Director General
Office of the Data Protection Ombudsman
P.O. Box 800
FI-00531 Helsinki
Tel. +358 29 56 66700
Fax +358 29 56 66735
email: tietosuoja@om.fi
Website: http://www.tietosuoja.fi/en/
Member: Mr Reijo AARNIO, Ombudsman
Commission Nationale de l’Informatique et des Libertés – CNIL
3 Place de Fontenoy
TSA 80715 – 75334 Paris, Cedex 07
Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00
contact: https://www.cnil.fr/en/contact-cnil
Website: http://www.cnil.fr/
Member: Ms Marie-Laure DENIS, President of CNIL
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Graurheindorfer Straße 153
53117 Bonn
Tel.: +49 228 997799 0
Fax: +49 228 997799 5550
email: poststelle@bfdi.bund.de
Website: http://www.bfdi.bund.de/
Member and joint representative: Mr Prof. Ulrich KELBER, The Federal Commissioner for Data Protection and Freedom of Information
The competence for complaints is split among different data protection supervisory authorities in Germany.
Competent authorities can be identified according to the list provided under www.bfdi.bund.de/anschriften.
Hellenic Data Protection Authority
Kifisias Av. 1-3, PC 11523
Ampelokipi Athens
Tel. +30 210 6475 600
Fax +30 210 6475 628
email: contact@dpa.gr
Website: http://www.dpa.gr/
Member: Mr Konstantinos Menoudakos, President of the Hellenic Data Protection Authority
Hungarian National Authority for Data Protection and Freedom of Information
Falk Miksa utca 9-11
H-1055 Budapest
Tel. +36 1 3911 400
email: privacy@naih.hu
Website: http://www.naih.hu/
Member: Dr Attila PÉTERFALVI, President of the National Authority for Data Protection and Freedom of Information
Data Protection Commission
21 Fitzwilliam Square
Dublin 2
D02 RD28
Ireland
Tel. +353 76 110 4800
email: info@dataprotection.ie
Website: http://www.dataprotection.ie/
Member: Ms Helen DIXON, Data Protection Commissioner
Garante per la protezione dei dati personali
Piazza Venezia, 11
00187 Roma
Tel. +39 06 69677 1
Fax +39 06 69677 785
email: protocollo@gpdp.it
Website: http://www.garanteprivacy.it/
Member: Mr Antonello SORO, President of Garante per la protezione dei dati personali
Data State Inspectorate
Blaumana str. 11/13-15
1011 Riga
Tel. +371 6722 3131
Fax +371 6722 3556
email: info@dvi.gov.lv
Website: http://www.dvi.gov.lv/
Member: Ms Jekaterina Macuka, Director of Data State Inspectorate
State Data Protection Inspectorate
L. Sapiegos str. 17
LT-10312 Vilnius
Tel. +370 5 271 2804 / +370 5 279 1445
Fax +370 5 261 9494
email: ada@ada.lt
Website: http://www.ada.lt/
Member: Mr Raimondas Andrijauskas, Director of the State Data Protection Inspectorate
Commission Nationale pour la Protection des Données
15, Boulevard du Jazz
L-4370 Belvaux
Tel. +352 2610 60 1
Fax +352 2610 60 6099
email: info@cnpd.lu
Website: http://www.cnpd.lu/
Member: Ms Tine A. LARSEN, President of the Commission Nationale pour la Protection des Données
Office of the Information and Data Protection Commissioner
Second Floor, Airways House
High Street, Sliema SLM 1549
Tel. +356 2328 7100
Fax +356 2328 7198
email: idpc.info@idpc.org.mt
Website: http://www.idpc.org.mt/
Member: Mr Saviour CACHIA, Information and Data Protection Commissioner
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501
Contact: https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/informatie-en-meldpunt-privacy
Website: https://autoriteitpersoonsgegevens.nl/nl
Member: Mr Aleid WOLFSEN, Chairman of the Autoriteit Persoonsgegevens
Urząd Ochrony Danych Osobowych (Personal Data Protection Office)
ul. Stawki 2
00-193 Warsaw
Tel. +48 22 531 03 00
Fax +48 22 531 03 01
email: kancelaria@uodo.gov.pl; zwme@uodo.gov.pl
Website: https://uodo.gov.pl/
Member: Mr Jan NOWAK, President of the Personal Data Protection Office
Comissão Nacional de Protecção de Dados – CNPD
Av. D. Carlos I, 134, 1º
1200-651 Lisboa
Tel. +351 21 392 84 00
Fax +351 21 397 68 32
email: geral@cnpd.pt
Website: http://www.cnpd.pt/
Member: Ms Filipa CALVÃO, President, Comissão Nacional de Protecção de Dados
The National Supervisory Authority for Personal Data Processing
B-dul Magheru 28-30
Sector 1, BUCUREŞTI
Tel. +40 31 805 9211
Fax +40 31 805 9602
email: anspdcp@dataprotection.ro
Website: http://www.dataprotection.ro/
Member: Ms Ancuţa Gianina OPRE, President of the National Supervisory Authority for Personal Data Processing
Office for Personal Data Protection of the Slovak Republic
Hraničná 12
820 07 Bratislava 27
Tel.: + 421 2 32 31 32 14
Fax: + 421 2 32 31 32 34
email: statny.dozor@pdp.gov.sk
Website: http://www.dataprotection.gov.sk/
Information Commissioner of the Republic of Slovenia
Dunajska 22
1000 Ljubljana
Tel. +386 1 230 9730
Fax +386 1 230 9778
email: gp.ip@ip-rs.si
Website: https://www.ip-rs.si/
Member: Ms Mojca PRELESNIK, Information Commissioner of the Republic of Slovenia
Agencia Española de Protección de Datos (AEPD)
C/Jorge Juan, 6
28001 Madrid
Tel. +34 91 266 3517
Fax +34 91 455 5699
email: internacional@aepd.es
Website: https://www.aepd.es/
Member : Ms María del Mar España Martí, Director of the Spanish Data Protection Agency
Datainspektionen
Drottninggatan 29
5th Floor
Box 8114
104 20 Stockholm
Tel. +46 8 657 6100
Fax +46 8 652 8652
email: datainspektionen@datainspektionen.se
Website: http://www.datainspektionen.se/
Member: Ms Lena Lindgren Schelin, Director General of the Data Inspection Board
In accordance with the European Economic Area (EEA) agreement, as from 20 July 2018, the EEA countries, Iceland, Lichtenstein, Norway, became members of the European Data Protection Board without voting right and without the right to be elected as chair and vice-chair, for GDPR related matters (see the EEA fact sheet)
Persónuvernd
Rauðarárstígur 10
105 Reykjavík
Tel: +354 510 9600
email: postur@dpa.is
Website: https://www.personuvernd.is or https://www.dpa.is
Ms Helga Þórisdóttir, Commissioner
Data Protection Authority, Principality of Liechtenstein
Städtle 38
9490 Vaduz
Principality of Liechtenstein
Tel. +423 236 6090
email: info.dss@llv.li
Website: https://www.datenschutzstelle.li
Member: Dr Marie-Louise Gächter, Commissioner
Datatilsynet
Tollbugata 3
0152 Oslo
Tel +47 22 39 69 00
email: postkasse@datatilsynet.no
Website: www.datatilsynet.no
Member: Mr Bjørn Erik THON, Director-General
Read more: What is a Data Processing Agreement (DPA)?
Source: EDPB
Photo by Guillaume Périgois on Unsplash
]]>