EDPB offers clarity on EU-U.S. Data Privacy Framework
The European Data Protection Board clarifies the EU-U.S. Data Privacy Framework for European individuals with a FAQ explaining their rights and complaint procedures.
The European Data Protection Board (EDPB) this week published a comprehensive Frequently Asked Questions (FAQ) document specifically aimed at European individuals. This FAQ clarifies the recently adopted EU-U.S. Data Privacy Framework (DPF) and its implications for their personal data transferred to U.S. companies.
Prior to July 2020, the Privacy Shield served as the mechanism for ensuring adequate data protection standards for personal data transferred from the European Economic Area (EEA) to U.S. companies. However, the European Court of Justice (ECJ) invalidated the Privacy Shield, citing concerns about U.S. government access to European data.
To address this gap and facilitate continued data flows, the EU Commission, in collaboration with the U.S. Department of Commerce, established the DPF. The DPF relies on U.S. companies' self-certification to comply with its principles and obligations regarding the processing of Europeans' personal data.
EDPB empowers Europeans
The EDPB's FAQ empowers European individuals by providing clear and concise information about the DPF's functionalities and their rights under this framework. Here are some key takeaways:
Simplified Data Transfers: The DPF allows for the free flow of personal data to U.S. companies certified under the program, eliminating the need for additional safeguards or authorization procedures that were previously required.
Individual Rights Upheld: The DPF guarantees specific rights for Europeans. These include the right to be informed about data transfers and their purposes, to access their personal data held by U.S. companies, and to have it rectified or erased if necessary.
Multi-pronged Enforcement: The FAQ outlines various avenues for Europeans to lodge complaints if they believe a U.S. company has infringed upon their data privacy rights under the DPF.
Complaint Procedures Explained
The EDPB acknowledges that navigating data privacy concerns can be complex. The FAQ offers a roadmap for Europeans to address potential issues with U.S. companies:
Direct Contact: The FAQ encourages individuals to first reach out directly to the U.S. company to resolve their concerns.
National Data Protection Authority (DPA): Each EU member state has a designated DPA responsible for enforcing data protection regulations. Europeans can file a complaint with their national DPA if direct communication with the company proves unsuccessful.
Informal Panel of EU DPAs: This option is applicable for complaints concerning HR data or if the U.S. company has specifically chosen the EU DPAs as its independent recourse mechanism. In such cases, an impartial panel comprised of EU DPAs will investigate the complaint.
Referral to U.S. Authorities: For complaints falling outside the scope of HR data or where the U.S. company hasn't opted for the EU DPAs' redressal mechanism, the national DPA may refer the complaint to relevant U.S. authorities such as the Federal Trade Commission (FTC).
The EDPB FAQ includes a list of resources to empower Europeans in navigating the DPF framework:
EU-U.S. Data Privacy Framework List: This U.S. Department of Commerce website allows Europeans to verify a company's DPF certification status.
Data Privacy Framework Principles: This webpage details the DPF's principles that U.S. companies must adhere to regarding European personal data.
How to Submit a Complaint: This webpage explains the different channels available to lodge a complaint against a U.S. company under the DPF.