Brussels, 19th July 2023 – The European Data Protection Board (EDPB) held its latest plenary session and made significant decisions regarding data transfers to the United States under the Data Privacy Framework (DPF) and the first review of the Japan Adequacy Decision.
The EDPB adopted an information note aimed at providing clear and objective guidance to individuals and entities transferring data to the United States. The note emphasizes the impact of the adequacy decision on data transfers, highlights available redress mechanisms under the DPF, and focuses on the new redress mechanism concerning national security.
EDPB Chair, Anu Talus, emphasized the importance of the DPF adoption by the European Commission, which allows personal data to flow freely from the European Economic Area to the United States without additional conditions. The information note aims to raise awareness of individual rights and organizational obligations under the DPF. The EDPB is committed to ensuring the proper implementation of this new instrument and looks forward to contributing to its first review next year.
The information note clarifies that transfers based on adequacy decisions do not require supplementary measures. However, transfers not included in the ‘Data Privacy Framework List’ need appropriate safeguards, such as standard data protection clauses or binding corporate rules. The EDPB emphasizes that all safeguards established by the U.S. Government in the area of national security apply to all data transfers, regardless of the chosen transfer tool.
Regarding the new redress mechanism in the area of national security, EU individuals can now submit complaints to their national data protection authority (DPA) regardless of the transfer tool used to transfer personal data to the U.S.
In addition to addressing data transfers to the U.S., the EDPB also adopted a Statement on the first review of the Japan Adequacy Decision. These amendments have led to a convergence with the GDPR and include the extension of the right to object to data processing, strengthening the duty to notify data breaches to the Japanese data protection authority and individuals, and broadening the scope of the Japan Act on the Protection of Personal Information (APPI) to no longer exclude personal data “set to be deleted” within six months.
In conclusion, the decisions made by the EDPB have significant implications for data transfers and adequacy decisions, ensuring the protection of individuals’ data rights and harmonization of data protection standards globally.
The decisions made by the European Data Protection Board (EDPB) regarding the Data Privacy Framework (DPF) and the first review of the Japan Adequacy Decision can potentially have implications for Turkey in terms of data transfers and data protection standards.