🔒 Practical implications following the EU Commission's adequacy decision for the EU-U.S. Data Privacy Framework 🔒

📅 On 10 July 2023, the European Commission adopted its adequacy decision on the EU-U.S. DPF, but what does this mean operationally for transfers from the EU to organizations in the U.S.?

✉️ Transfers of personal data can now be made to U.S. organizations certified as EU-U.S. DPF participants without needing appropriate safeguards like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

🏢 To join the DPF, U.S. organizations must be eligible to participate and must certify their compliance with the DPF’s underlying privacy principles, including adopting a DPF-compliant privacy policy. Self-certification can be done via the DPF website, but certification is not active until it has been granted by the U.S. Department of Commerce (DoC).

📜 The DoC confirmed that active Privacy Shield participants may immediately rely on the EU-U.S. DPF. Such organizations are required to update their privacy notices to reflect reliance on the EU-U.S. DPF and its principles by 10 October 2023. Organizations that do not wish to comply with the EU-U.S. DPF principles must complete a withdrawal process.

🛡️ Transfers to U.S.-based organizations that are not EU-U.S. DPF participants cannot be based on the adequacy decision. Such transfers will still require appropriate safeguards such as SCCs (including transfer impact assessments) or BCRs.

🇬🇧🇨🇭 The EU adequacy decision does not benefit the UK or Switzerland. The UK recently reiterated its commitment to a UK-U.S. Data Bridge, but until it reaches an adequacy decision, transfers from the UK/Gibraltar to the U.S. still need an IDTA or UK Addendum to the SCCs. The same applies to Switzerland. Adequacy decisions from both are expected soon.

🏛️ The EU-U.S. DPF marks a significant step forward, but for how long before a further legal challenge is mounted?

Check out the latest posts:


📜 White House issues Executive Order setting new standards for AI regulation 🌐

President Biden has taken a stride in ensuring that America takes the forefront in harnessing the potential of artificial intelligence (AI) while also addressing its challenges.


Update on EU's AI Act: EU policymakers Have Proposed Stricter Regulations for High-Risk AI Systems

EU policymakers are planning to have changes to the AI Act, aimed at regulating Artificial Intelligence in a risk-based approach. The core of this legislation is to ensure the safety and protection of fundamental rights when it comes to high-risk AI systems.

In the original proposal, certain AI solutions were automatically categorized as high-risk, but recent discussions introduced exemption conditions to allow AI developers to avoid this classification. However, the European Parliament’s legal office expressed concerns that this approach might lead to legal uncertainty and not align with the AI Act’s objectives.


🔍 Face search company Clearview AI overturns UK privacy fine

Clearview AI, a company specializing in facial recognition technology, has successfully overturned a £7.5 million privacy fine imposed by the UK’s Information Commissioner’s Office (#ICO). The company’s innovative technology empowers clients to search a vast database of images collected from the internet for matches to specific faces, providing valuable links to where these matching images appear online.