Brussels, 19 July - During its latest EDPB plenary, the EDPB adopted an information note for individuals and entities transferring data to the U.S.. This note aims to provide concise and objective information regarding the impact of the adequacy decision on transfers to the U.S., the redress mechanisms available under the Data Privacy Framework (DPF), and the new redress mechanism in the area of national security.
EDPB Chair, Anu Talus said: “The adoption of the DPF by the European Commission, following the EDPB opinion of February 2023, is an important decision recognising that personal data can now flow from the European Economic Area to the United States, without any further conditions. It is essential that individuals are aware of their rights and that organisations know their obligations, which the EDPB explains in the information note. The EDPB will continue to pay special attention to the correct implementation of this new instrument and we look forward to contributing to the first review of the DPF next year.”
The information note clarifies that transfers based on adequacy decisions do not need to be complemented by supplementary measures. Transfers to the U.S. which are not included in the ‘Data Privacy Framework List’ require appropriate safeguards, such as standard data protection clauses or binding corporate rules. In this respect, the EDPB underlines that all the safeguards that have been put in place by the U.S. Government in the area of national security (including the redress mechanism) apply to all data transferred to the U.S., regardless of the transfer tool used.
Furthermore, the information note specifies that in the area of national security, EU individuals can submit a complaint to their national data protection authority (DPA) to make use of the new redress mechanism regardless of the transfer tool used to transfer personal data to the U.S.
During the plenary, representatives of the European Commission also gave a presentation on the DPF and the changes following the EDPB Opinion.
Next, the EDPB adopted a Statement on the first review of the Japan Adequacy Decision. The statement focuses mainly on the assessment of the commercial aspects of the Japanese adequacy decision, as the Japanese legal framework has seen some amendments in this area since the issuing of the adequacy decision, which lead to further convergence with the GDPR. These include the extension of the right to object to a processing, the strengthening of the duty to notify data breaches to the Japanese data protection authority and to individuals, and the broadening of the scope of the Japan Act on the Protection of Personal Information (APPI) so that it no longer excludes personal data that are “set to be deleted” within six months.
At the same time, the EDPB considers that there are some areas that require closer monitoring by the European Commission, especially concerning the new category of “pseudonymised” personal information in Japanese law and the use of consent in situations of imbalance of power. The EDPB therefore welcomes the European Commission’s commitment to closely monitor these issues.
Overall, the EDPB agrees with the European Commission’s assessment of the review and welcomes the Commission’s proposal to move to a review cycle of four years.
Note to editors:
All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.