Commission Implementing Decision EU 2023/1795



What is the Commission Implementing Decision EU 2023/1795?

It is the decision where the Commission (in Article 1) recognises that the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States that are included in the ‘Data Privacy Framework List’, maintained and made publicly available by the U.S. Department of Commerce.

The full name of the decision is: "Commission Implementing Decision EU 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (notified under document C(2023)4745) (Text with EEA relevance)".


The Commission Implementing Decision EU 2023/1795

1. INTRODUCTION


(1) Regulation (EU) 2016/679 sets out the rules for the transfer of personal data from controllers or processors in the Union to third countries and international organisations to the extent that such transfers fall within its scope of application. The rules on international data transfers are laid down in Chapter V of that Regulation. While the flow of personal data to and from countries outside the European Union is essential for the expansion of cross-border trade and international cooperation, the level of protection afforded to personal data in the Union must not be undermined by transfers to third countries or international organisations.


(2) Pursuant to Article 45(3) of Regulation (EU) 2016/679, the Commission may decide, by means of an implementing act, that a third country, a territory or one or more specified sectors within a third country, ensure(s) an adequate level of protection. Under this condition, transfers of personal data to a third country may take place without the need to obtain any further authorisation, as provided for in Article 45(1) and recital 103 of Regulation (EU) 2016/679.


(3) As specified in Article 45(2) of Regulation (EU) 2016/679, the adoption of an adequacy decision has to be based on a comprehensive analysis of the third country’s legal order, covering both the rules applicable to data importers and the limitations and safeguards as regards access to personal data by public authorities. In its assessment, the Commission has to determine whether the third country in question guarantees a level of protection ‘essentially equivalent’ to that ensured within the Union (recital 104 of Regulation (EU) 2016/679). Whether this is the case is to be assessed against Union legislation, notably Regulation (EU) 2016/679, as well as the case law of the Court of Justice of the European Union (the Court of Justice).


(4) As clarified by the Court of Justice in its judgment of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection Commissioner (Schrems), this does not require finding an identical level of protection. In particular, the means to which the third country in question has recourse for protecting personal data may differ from the ones employed in the Union, as long as they prove, in practice, effective for ensuring an adequate level of protection. The adequacy standard therefore does not require a point-to-point replication of Union rules. Rather, the test is whether, through the substance of privacy rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection.

Furthermore, according to that judgment, when applying this standard, the Commission should notably assess whether the legal framework of the third country in question provides rules intended to limit interferences with the fundamental rights of the persons whose data is transferred from the Union, which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security, and provides effective legal protection against interferences of that kind. The ‘Adequacy Referential’ of the European Data Protection Board, which seeks to further clarify this standard, also provides guidance in this regard.


(5) The applicable standard with respect to such interference with the fundamental rights to privacy and data protection was further clarified by the Court of Justice in its judgment of 16 July 2020 in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II), which invalidated Commission Implementing Decision (EU) 2016/1250 on a previous transatlantic data flow framework, the EU-U.S. Privacy Shield (Privacy Shield).

The Court of Justice considered that the limitations to the protection of personal data arising from U.S. domestic law on the access and use by U.S. public authorities of data transferred from the Union to the United States for national security purposes were not circumscribed in a way that satisfies requirements that are essentially equivalent to those under Union law, as regards the necessity and proportionality of such interferences with the right to data protection.

The Court of Justice also considered that no cause of action was available before a body which offers the persons whose data was transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter on the right to an effective remedy.


(6) Following the Schrems II judgment, the Commission entered into talks with the U.S. government with a view to a possible new adequacy decision that would meet the requirements of Article 45(2) of Regulation (EU) 2016/679 as interpreted by the Court of Justice. As a result of these discussions, the United States on 7 October 2022 adopted Executive Order 14086 ‘Enhancing Safeguards for US Signals Intelligence Activities’ (EO 14086), which is complemented by a Regulation on the Data Protection Review Court issued by the U.S. Attorney General (AG Regulation). In addition, the framework that applies to commercial entities processing data transferred from the Union under the present Decision – the ‘EU-U.S. Data Privacy Framework’ (EU-U.S. DPF or DPF) – has been updated.


(7) The Commission has carefully analysed U.S. law and practice, including EO 14086 and the AG Regulation. Based on the findings set out in recitals 9-200, the Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the Union to certified organisations in the United States.


(8) This Decision has the effect that personal data transfers from controllers and processors in the Union to certified organisations in the United States may take place without the need to obtain any further authorisation. It does not affect the direct application of Regulation (EU) 2016/679 to such organisations where the conditions regarding the territorial scope of that Regulation, laid down in its Article 3, are fulfilled.


2. THE EU-U.S. DATA PRIVACY FRAMEWORK

2.1. Personal and material scope

2.1.1. Certified organisations


(9) The EU-U.S. DPF is based on a system of certification by which U.S. organisations commit to a set of privacy principles - the ‘EU-U.S. Data Privacy Framework Principles’, including the Supplemental Principles (together: the Principles) - issued by the U.S. Department of Commerce (DoC) and contained in Annex I to this Decision. To be eligible for certification under the EU-U.S. DPF, an organisation must be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT). The Principles apply immediately upon certification. As explained in more detail in recitals 48-52, EU-U.S. DPF organisations are required to re-certify their adherence to the Principles on an annual basis.


2.1.2. Definition of personal data and concepts of controller and ‘agent’


(10) The protection afforded under the EU-U.S. DPF applies to any personal data transferred from the Union to organisations in the U.S. that have certified their adherence to the Principles with the DoC, with the exception of data that is collected for publication, broadcast or other forms of public communication of journalistic material and information in previously published material disseminated from media archives. Such information can therefore not be transferred on the basis of the EU-U.S. DPF.


(11) The Principles define personal data/personal information in the same way as Regulation (EU) 2016/679, i.e. as “data about an identified or identifiable individual that are within the scope of the GDPR received by an organization in the United States from the EU, and recorded in any form”. Accordingly, they also cover pseudonymised (or “key-coded”) research data (including where the key is not shared with the receiving U.S. organisation). Similarly, the notion of processing is defined as “any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination and erasure or destruction”.


(12) The EU-U.S. DPF applies to organisations in the U.S. that qualify as controllers (i.e. as a person or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data) or processors (i.e. agents acting on behalf of a controller). U.S. processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles. In addition, in the case of sub-processing, a processor must conclude a contract with the sub-processor guaranteeing the same level of protection as provided by the Principles and take steps to ensure its proper implementation.


2.2. EU-U.S. Data Privacy Framework Principles

2.2.1. Purpose limitation and choice


(13) Personal data should be processed lawfully and fairly. It should be collected for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of processing.


(14) Under the EU-U.S. DPF, this is ensured through different Principles. Firstly, under the Data Integrity and Purpose Limitation Principle, similarly as under Article 5(1)(b) of Regulation (EU) 2016/679, an organisation may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorised by the data subject.


(15) Secondly, before using personal data for a new (changed) purpose that is materially different but still compatible with the original purpose, or disclosing it to a third party, the organisation must provide data subjects with the opportunity to object (opt-out), in accordance with the Choice Principle, through a clear, conspicuous and readily available mechanism. Importantly, this Principle does not supersede the express prohibition on incompatible processing.


2.2.2. Processing of special categories of personal data


(16) Specific safeguards should exist where ‘special categories’ of data are processed.


(17) In accordance with the Choice Principle, specific safeguards apply to the processing of ‘sensitive information’, i.e. personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information on the sex life of the individual or any other information received from a third party that is identified and treated by that party as sensitive. This means that any data that is considered sensitive under Union data protection law (including data on sexual orientation, genetic data and biometric data) will be treated as sensitive under the EU-U.S. DPF by certified organisations.


(18) As a general rule, organisations must obtain affirmative express consent (i.e. opt-in) from individuals to use sensitive information for purposes other than those for which it was originally collected or subsequently authorised by the individual (through opt-in), or to disclose it to third parties.


(19) Such consent does not have to be obtained in limited circumstances similar to comparable exceptions provided under Union data protection law, e.g. where the processing of sensitive data is in the vital interest of a person; is necessary for the establishment of legal claims; or is required to provide medical care or diagnosis.


2.2.3. Data accuracy, minimisation and security


(20) Data should be accurate and, where necessary, kept up to date. It should also be adequate, relevant and not excessive in relation to the purposes for which it is processed, and in principle be kept for no longer than is necessary for the purposes for which the personal data is processed.


(21) Under the Data Integrity and Purpose Limitation Principle, personal data must be limited to what is relevant for the purpose of the processing. In addition, organisations must, to the extent necessary for the purposes of the processing, take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete and current.


(22) Moreover, personal information may be retained in a form identifying or rendering an individual identifiable (and thus in the form of personal data) only for as long as it serves the purpose(s) for which it was initially collected or subsequently authorised by the individual pursuant to the Choice Principle. This obligation does not prevent organisations from continuing to process personal information for longer periods, but only for the time and to the extent such processing reasonably serves one of the following specific purposes similar to comparable exceptions provided under Union data protection law: archiving in the public interest, journalism, literature and art, scientific and historical research and statistical analysis. Where personal data is retained for one of these purposes, its processing is subject to the safeguards provided by the Principles.


(23) Personal data should also be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. To that end, controllers and processors should take appropriate technical or organisational measures to protect personal data from possible threats. These measures should be assessed taking into consideration the state of the art, related costs and the nature, scope, context and purposes of processing, as well as the risks for the rights of individuals.


(24) Under the EU-U.S. DPF, this is ensured by the Security Principle, which requires, similarly to Article 32 Regulation (EU) 2016/679, to take reasonable and appropriate security measures, taking into account the risks involved in the processing and the nature of the data.


2.2.4. Transparency


(25) Data subjects should be informed of the main features of the processing of their personal data.


(26) This is ensured through the Notice Principle, which, similarly to the transparency requirements under Regulation (EU) 2016/679, requires organisations to inform data subjects about, inter alia,

(i) the participation of the organisation in the DPF,

(ii) the type of data collected,

(iii) the purpose of the processing,

(iv) the type or identity of third parties to which personal data may be disclosed and the purposes for doing so,

(v) their individual rights,

(vi) how to contact the organisation and (vii) available redress avenues.


(27) This notice must be provided in a clear and conspicuous language when individuals are first asked to provide the personal data or as soon as practicable thereafter, but in any event before the data is used for a materially different (but compatible) purpose than the one for which it was collected, or before it is disclosed to a third party.


(28) In addition, organisations must make their privacy policies reflecting the Principles public (or, in the case of human resources data, make them readily available to the concerned individuals) and provide links to the DoC’s website (with further details on certification, the rights of data subjects and available recourse mechanisms), the Data Privacy Framework List (DPF List) of participating organisations and the website of an appropriate alternative dispute settlement provider.


2.2.5. Individual rights


(29) Data subjects should have certain rights which can be enforced against the controller or processor, in particular the right of access to data, the right to object to the processing and the right to have data rectified and erased.


(30) The Access Principle of the EU-U.S. DPF provides individuals with such rights. In particular, data subjects have the right, without the need for justification, to obtain from an organisation confirmation of whether it is processing personal data related to them; have the data communicated to them; and obtain information about the purpose of the processing, the categories of personal data being processed and the (categories of) recipients to whom the data is disclosed.

Organisations are required to respond to access requests within a reasonable period of time. An organisation may set reasonable limits to the number of times within a given period that access requests from a particular individual will be met and may charge a fee that is not excessive, e.g. where requests are manifestly excessive, in particular because of their repetitive character.


(31) The right of access may only be restricted in exceptional circumstances similar to the ones provided under Union data protection law, in particular where the legitimate rights of others would be violated; where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the circumstances of the case (although expense and burden are not controlling factors in determining whether providing access is reasonable); to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security, public security or defence; the information contains confidential commercial information; or the information is processed solely for research or statistical purposes.

Any denial of, or limitation to a right has to be necessary and duly justified, with the organisation bearing the burden of demonstrating that these requirements are fulfilled. In carrying out that assessment, the organisation must take particularly into account the individual’s interests. Where it is possible to separate information from other data to which a restriction applies, the organisation must redact the protected information and disclose the remaining information.


(32) In addition, data subjects have the right to obtain rectification or amendment of inaccurate data, and to obtain deletion of data that has been processed in violation of the Principles. Moreover, as explained in recital 15, individuals have a right to object/opt-out to the processing of their data for materially different (but compatible) purposes than those for which the data was collected and to the disclosure of their data to third parties. When personal data is used for direct marketing purposes, individuals have a general right to opt-out from the processing at any time.


(33) The Principles do not specifically address the issue of decisions affecting the data subject based solely on the automated processing of personal data. However, as regards personal data that has been collected in the Union, any decision based on automated processing will typically be taken by the controller in the Union (which has a direct relationship with the concerned data subject) and is thus directly subject to Regulation (EU) 2016/679. This includes transfer scenarios where the processing is carried out by a foreign (for instance U.S.) business operator acting as an agent (processor) on behalf of the controller in the Union (or as a sub-processor acting on behalf of the Union processor having received the data from a Union controller that collected it) which on this basis then takes the decision.


(34) This was confirmed by a study commissioned by the Commission in 2018 in the context of the second annual review of the functioning of the Privacy Shield, which concluded that, at the time, there was no evidence suggesting that automated decision-making was normally being carried out by Privacy Shield organisations on the basis of personal data transferred under the Privacy Shield.


(35) In any event, in areas where companies most likely resort to the automated processing of personal data to take decisions affecting the individual (e.g. credit lending, mortgage offers, employment, housing and insurance), U.S. law offers specific protections against adverse decisions. These acts typically provide that individuals have the right to be informed of the specific reasons underlying the decision (e.g. the rejection of a credit), to dispute incomplete or inaccurate information (as well as reliance on unlawful factors), and to seek redress.

In the area of consumer credit, the Fair Credit Reporting Act (FCRA) and Equal Credit Opportunity Act (ECOA) contain safeguards that provide consumers with some form of a right to explanation and a right to contest the decision. These Acts are relevant in a wide range of areas, including credit, employment, housing and insurance.

In addition, certain anti-discrimination laws, such as Title VII of the Civil Rights Act and the Fair Housing Act, provide individuals with protections with respect to models used in automated decision-making that could lead to discrimination on the basis of certain characteristics, and grant individuals rights to challenge such decisions, including automated ones. With respect to health information, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule creates certain rights that are similar to those of Regulation (EU) 2016/679 with respect to accessing personal health information. In addition, guidance from the U.S. authorities require medical providers to receive information that allow them to inform individuals of automated decision-making systems used in the medical sector.


(36) Therefore, these rules offer protections similar to those provided under Union data protection law in the unlikely situation in which automated decisions would be taken by the EU-U.S. DPF organisation itself.


2.2.6. Restrictions on onward transfers


(37) The level of protection afforded to personal data transferred from the Union to organisations in the United States must not be undermined by the further transfer of such data to a recipient in the United States or another third country.


(38) Under the Accountability for Onward Transfer Principle, special rules apply for so-called ‘onward transfers’, i.e. transfers of personal data from an EU-U.S. DPF organisation to a third party controller or processor, irrespective of whether the latter is located in the United States or a third country outside the United States (and the Union). Any onward transfer can only take place (i) for limited and specified purposes, (ii) on the basis of a contract between the EU-U.S. DPF organisation and the third party (or comparable arrangement within a corporate group and (iii) only if that contract requires the third party to provide the same level of protection as the one guaranteed by the Principles.


(39) This obligation to provide the same level of protection as guaranteed by the Principles, read in combination with the Data Integrity and Purpose Limitation Principle, notably means that the third party may only process the personal information transmitted to it for purposes that are not incompatible with the purposes for which it was collected or subsequently authorised by the individual (in accordance with the Choice Principle).


(40) The Accountability for Onward Transfer Principle should also be read in conjunction with the Notice Principle and, in the case of an onward transfer to a third party controller (58), with the Choice Principle, according to which data subjects must be informed (among others) about the type/identity of any third party recipient, the purpose of the onward transfer and the choice offered, and can object (opt out) or, in the case of sensitive data, have to give “affirmative express consent” (opt in) for the onward transfer.


(41) The obligation to provide the same level of protection as required by the Principles applies to any and all third parties involved in the processing of the data so transferred irrespective of their location (in the U.S. or another third country) as well as when the original third party recipient itself transfers those data to another third party recipient, for example for sub-processing purposes.


(42) In all cases, the contract with the third-party recipient must provide that the latter will notify the EU-U.S. DPF organisation if it makes a determination that it can no longer meet its obligation. When such a determination is made, the processing by the third party must cease or other reasonable and appropriate steps must be taken to remedy the situation.


(43) Additional protections apply in the case of an onward transfer to a third party agent (i.e. a processor). In such a case, the U.S. organisation must ensure that the agent only acts on its instructions and take reasonable and appropriate steps (i) to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organisation’s obligations under the Principles and, (ii) to stop and remediate unauthorised processing, upon notice. The organisation may be required by the DoC to provide a summary or representative copy of the privacy provisions of the contract. Where compliance problems arise in a (sub-)processing chain, the organisation acting as the controller of the personal data will in principle face liability, as specified in the Recourse, Enforcement and Liability Principle, except if it proves that it is not responsible for the event giving rise to the damage.


2.2.7. Accountability


(44) Under the accountability principle, entities processing data are required to put in place appropriate technical and organisational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance, in particular to the competent supervisory authority.


(45) Once an organisation has voluntarily decided to certify under the EU-U.S. DPF, its effective compliance with the Principles is compulsory and enforceable. Under the Recourse, Enforcement and Liability Principle, EU-U.S. DPF organisations must provide effective mechanisms to ensure compliance with the Principles. Organisations must also take measures to verify that their privacy policies conform to the Principles and are in fact complied with. This can be done either through a system of self-assessment, which must include internal procedures ensuring that employees receive training on the implementation of the organisation’s privacy policies and that compliance is periodically reviewed in an objective manner, or outside compliance reviews, the methods of which may include auditing, random checks or use of technology tools.


(46) In addition, organisations must retain records on the implementation of their EU-U.S. DPF practices and make them available upon request in the context of an investigation or a complaint about non-compliance to an independent dispute resolution body or competent enforcement authority.


Read more - Commission Implementing Decision EU 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework

https://eur-lex.europa.eu/eli/dec_impl/2023/1795


Cyber Risk GmbH, some of our clients