European Commission Adopts Adequacy Decision for EU-US Data Privacy Framework

With the 24 Member States from the European Union (EU) voting in favor of adopting the EU-US Data Privacy Framework (EU-US DPF), the European Commission (EC) believes that U.S. protection of personal data transferred between the countries is comparable to that offered in the EU.

On July 11, 2023, the new framework took effect, and the decision helps ensure that personal data transferred between the EU and the U.S. is protected by legal obligations.

The list of elements organizations should be aware of if transferring personal data between themselves and a GDPR-protected EU organization are:

1. Basic data protection concepts should exist in organizational policies and procedures. For example, concepts and definitions over “personal data,” “data processor,” “sensitive data,” “biometric data” and “processing of personal data” should be documented in an organization’s policies and procedures.
2. Lawful and fair processing for legitimate purposes must be a part of the company’s daily operations. These procedures should be recorded in sufficiently clear and concise plain language that can be understood by an individual. For example, detailing the concepts related to data collection for legitimate purposes, consent from a data subject and performance of processing by third parties should all be detailed in an organization’s procedures.
3. Purpose limitation principle requires data only be processed for the specific, legitimate purpose for which it was collected and nothing further without consent from the data subject.
4. Data quality and proportionality require an organization to have accurate, up-to-date, adequate, relevant and not excessive personal data. Technical mechanisms in the organization can be put in place to meet these measurements.
5. Data retention principle requires that data only be kept for no longer than necessary to complete the stated purpose for processing. For example, when performing a transaction, the organization needs a credit card number to charge for its services. Once the transaction has been completed, the card number is no longer needed and shouldn’t be retained in the organization’s databases.
6. Security and confidentiality principle requires organizations to implement technical and operational security controls to protect data from unauthorized access, inadvertent alteration, inappropriate deletion, destruction, unlawful processing, and accidental loss.
7. Transparency principle requires an organization to keep each individual informed about what is happening with their data. This method of informing should be clear, concise and easily accessible for the individual. This includes informing the data subject of their legal rights related to their data.
8. The right of access, rectification, erasure and objection are all basic rights found in the GDPR and various U.S. state privacy laws. These include allowing individuals full access to their data at their discretion, correct inaccuracies, request their data be deleted with follow-through and object to any processing. An organization should create a public-facing web portal to facilitate such requests.
9. Restrictions on onward transfers requires organizations who are the original recipient of data, before forwarding to another organization, to ensure the further recipient is also subject to rules affording an adequate level of protection and following the relevant instructions laid out in the EU-US DPF. The initial recipient of the data shall be liable to ensure appropriate safeguards are in place at the recipient organization prior to an onward transfer. These transfers should only occur for a specific purpose and when legally necessary.

These elements are provided by the European Data Protection Authority.

Weaver professionals have experience assisting organizations in implementing data security practices and industry accepted security frameworks. We are here to help with any needs related to the new framework. For more information about the EU-US DPF and how it may apply to your business, contact us.

Authored by Hunter Sundbeck, CISA, CDPSE, A+, CySA+ and Brett Nabors, CISA, CCSK, CDPSE, CMMC RP.

©2023