A good summary of the draft adequacy decision.
The EU Commission has published the long-awaited draft adequacy decision for data transfers from the EU to the US after analysing US law and practice, including Executive Order 14086 and the AG Regulation. It concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. data protection framework. The EU-U.S. Privacy Framework is a certification system that commits U.S. organizations to adhere to a set of privacy principles issued by the U.S. Department of Commerce. The principles apply immediately after certification. They are without prejudice to the requirements of Regulation (EU) 2016/679 applicable to entities in the Union that transfer data, such as purpose limitation, data minimisation, transparency and data security.
Personal data may be transferred from the EU to the USA under the EU-U.S. GDPR, except for data collected for the publication, broadcast or other forms of public communication of journalistic material. The EU-U.S. Data Processing Principles apply to organizations in the U.S. that are considered controllers or processors and are contractually obligated to act only on instructions from the controller in the EU and to assist the controller in responding to requests from individuals exercising their rights under the Principles. Under the EU-U.S. data protection framework, personal data must be processed lawfully and fairly and must not be incompatible with the purpose for which it was originally collected.
In certain circumstances, consent is not required for the processing of sensitive data. However, in accordance with the principle of data integrity and purpose limitation, organisations must ensure that personal data is accurate, complete and up-to-date and may retain personal data only for as long as it serves the purpose or purposes for which it was originally collected or for which the data subject has given consent in accordance with the principle of freedom of choice. In addition, personal data must be processed in such a way as to ensure their security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Finally, controllers and processors must take appropriate technical and organisational measures.
Data Privacy: EU Commission Adopts New Adequacy Decision for Secure EU-US Data FlowsThe Action Plan of the French CNIL for Regulating AI Systems
The CNIL has released an action plan for privacy-respecting deployment of AI systems in light of recent developments in the field.New Use Cases Covered By 2B Advice PrIME
2B Advice PrIME is pleased to announce several updates to its Privacy Management solution.