COMMISSION IMPLEMENTING DECISION EU 2023/1795
of 10 July 2023
pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework
(notified under document C(2023)4745)
(Text with EEA relevance)
1.
INTRODUCTION
2.
THE EU-U.S. DATA PRIVACY FRAMEWORK
2.1.
Personal and material scope
2.1.1.
Certified organisations
2.1.2.
Definition of personal data and concepts of controller and ‘agent’
2.2.
EU-U.S. Data Privacy Framework Principles
2.2.1.
Purpose limitation and choice
2.2.2.
Processing of special categories of personal data
2.2.3.
Data accuracy, minimisation and security
2.2.4.
Transparency
2.2.5.
Individual rights
2.2.6.
Restrictions on onward transfers
2.2.7.
Accountability
2.3.
Administration, oversight and enforcement
2.3.1.
(Re-)certification
2.3.2.
Compliance monitoring
2.3.3.
Identifying and addressing false claims of participation
2.3.4.
Enforcement
2.4.
Redress
3.
ACCESS AND USE OF PERSONAL DATA TRANSFERRED FROM THE EUROPEAN UNION BY PUBLIC AUTHORITIES IN THE UNITED STATES
3.1.
Access and use by U.S. public authorities for criminal law enforcement purposes
3.1.1.
Legal bases, limitations and safeguards
3.1.1.1.
Limitations and safeguards as regards the collection of personal data for criminal law enforcement purposes
3.1.1.2.
Further use of the information collected
3.1.2.
Oversight
3.1.3.
Redress
3.2.
Access and use by U.S. public authorities for national security purposes
3.2.1.
Legal bases, limitations and safeguards
3.2.1.1.
Applicable legal framework
3.2.1.2.
Limitations and safeguards as regards the collection of personal data for national security purposes
3.2.1.3.
Further use of the information collected
3.2.2.
Oversight
3.2.3.
Redress
4.
CONCLUSION
5.
EFFECTS OF THIS DECISION AND ACTION OF DATA PROTECTION AUTHORITIES
6.
MONITORING AND REVIEW OF THIS DECISION
7.
SUSPENSION, REPEAL OR AMENDMENT OF THIS DECISION
8.
FINAL CONSIDERATIONS
Article 1
Article 2
Article 3
Article 4
ANNEX I
EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES ISSUED BY THE U.S. DEPARTMENT OF COMMERCE
I.
OVERVIEW
II.
PRINCIPLES
1.
NOTICE
2.
CHOICE
3.
ACCOUNTABILITY FOR ONWARD TRANSFER
4.
SECURITY
5.
DATA INTEGRITY AND PURPOSE LIMITATION
6.
ACCESS
7.
RECOURSE, ENFORCEMENT AND LIABILITY
III.
SUPPLEMENTAL PRINCIPLES
1.
Sensitive Data
2.
Journalistic Exceptions
3.
Secondary Liability
4.
Performing Due Diligence and Conducting Audits
5.
The Role of the Data Protection Authorities
6.
Self-Certification
7.
Verification
8.
Access
a.
The Access Principle in Practice
b.
Burden or Expense of Providing Access
c.
Confidential Commercial Information
d.
Organization of Data Bases
e.
When Access May be Restricted
f.
Right to Obtain Confirmation and Charging a Fee to Cover the Costs for Providing Access
g.
Repetitious or Vexatious Requests for Access
h.
Fraudulent Requests for Access
i.
Timeframe for Responses
9.
Human Resources Data
a.
Coverage by the EU-U.S. DPF
b.
Application of the Notice and Choice Principles
c.
Application of the Access Principle
d.
Enforcement
e.
Application of the Accountability for Onward Transfer Principle
10.
Obligatory Contracts for Onward Transfers
a.
Data Processing Contracts
b.
Transfers within a Controlled Group of Corporations or Entities
c.
Transfers between Controllers
11.
Dispute Resolution and Enforcement
12.
Choice – Timing of Opt Out
13.
Travel Information
14.
Pharmaceutical and Medical Products
a.
Application of EU/Member State Laws or the Principles
b.
Future Scientific Research
c.
Withdrawal from a Clinical Trial
d.
Transfers for Regulatory and Supervision Purposes
e.
“Blinded” Studies
f.
Product Safety and Efficacy Monitoring
g.
Key-coded Data
15.
Public Record and Publicly Available Information
16.
Access Requests by Public Authorities
ANNEX I: ARBITRAL MODEL
A.
Scope
B.
Available Remedies
C.
Pre-Arbitration Requirements
D.
Binding Nature of Decisions
E.
Review and Enforcement
F.
The Arbitration Panel
G.
Arbitration Procedures
H.
Costs
ANNEX II
|
UNITED STATES DEPARTMENT OF COMMERCE Secretary of Commerce Washington, D.C. 20230 |
ANNEX III
Administration and Supervision of the Data Privacy Framework Program by the Department of Commerce
ANNEX IV
Office of the Chair |
UNITED STATES OF AMERICA Federal Trade Commission WASHINGTON, D.C. 20580 |
I.
Introduction
a.
FTC Privacy Enforcement and Policy Work
b.
U.S. Legal Protections Benefitting EU Consumers
c.
FTC Enforcement Activity
II.
Referral Prioritization and Investigations
III.
Seeking and Monitoring Orders
IV.
Enforcement Cooperation with EU DPAs
Appendix A
Privacy Shield and Safe Harbor Enforcement
|
Docket/FTC File No. |
Case |
Link |
|
|
|
|
1 |
FTC File No. 2023062 Case No. 3:22-cv-03070 (N.D. Cal.) |
US v. Twitter, Inc. |
|
2 |
FTC File No. 192 3209 |
In the Matter of Residual Pumpkin Entity, LLC, formerly d/b/a CafePress, and PlanetArt, LLC, d/b/a CafePress |
CafePress |
3 |
FTC File No. 192 3133 Docket No. C-4747 |
In the Matter of Flo Health, Inc. |
Flo Health |
4 |
FTC File No. 192 3050 Docket No. C-4723 |
In the Matter of Ortho-Clinical Diagnostics, Inc. |
Ortho-Clinical |
5 |
FTC File No. 192 3092 Docket No. C-4709 |
In the Matter of T&M Protection, LLC |
T&M Protection |
6 |
FTC File No. 192 3084 Docket No. C-4704 |
In the Matter of TDARX, Inc. |
TDARX |
7 |
FTC File No. 192 3093 Docket No. C-4706 |
In the Matter of Global Data Vault, LLC |
Global Data |
8 |
FTC File No. 192 3078 Docket No. C-4703 |
In the Matter of Incentive Services, Inc. |
Incentive Services |
9 |
FTC File No. 192 3090 Docket No. C-4705 |
In the Matter of Click Labs, Inc. |
Click Labs |
10 |
FTC File No. 182 3192 Docket No. C-4697 |
In the Matter of Medable, Inc. |
Medable |
11 |
FTC File No. 182 3189 Docket No. 9386 |
In the Matter of NTT Global Data Centers Americas, Inc., as successor in interest to RagingWire Data Centers, Inc. |
RagingWire |
12 |
FTC File No. 182 3196 Docket No. C-4702 |
In the Matter of Thru, Inc. |
Thru |
13 |
FTC File No. 182 3188 Docket No. C-4698 |
In the Matter of DCR Workforce, Inc. |
DCR Workforce |
14 |
FTC File No. 182 3194 Docket No. C-4700 |
In the Matter of LotaData, Inc. |
LotaData |
15 |
FTC File No. 182 3195 Docket No. C-4701 |
In the Matter of EmpiriStat, Inc. |
EmpiriStat |
16 |
FTC File No. 182 3193 Docket No. C-4699 |
In the Matter of 214 Technologies, Inc., also d/b/a Trueface.ai |
Trueface.ai |
17 |
FTC File No. 182 3107 Docket No. 9383 |
In the Matter of Cambridge Analytica, LLC |
Cambridge Analytica |
18 |
FTC File No. 182 3152 Docket No. C-4685 |
In the Matter of SecureTest, Inc. |
SecurTest |
19 |
FTC File No. 182 3144 Docket No. C-4664 |
In the Matter of VenPath, Inc. |
VenPath |
20 |
FTC File No. 182 3154 Docket No. C-4666 |
In the Matter of SmartStart Employment Screening, Inc. |
SmartStart |
21 |
FTC File No. 182 3143 Docket No. C-4663 |
In the Matter of mResourceLLC, d/b/a Loop Works LLC |
mResource |
22 |
FTC File No. 182 3150 Docket No. C-4665 |
In the Matter of Idmission LLC |
IDmission |
23 |
FTC File No. 182 3100 Docket No. C-4659 |
In the Matter of ReadyTech Corporation |
ReadyTech |
24 |
FTC File No. 172 3173 Docket No. C-4630 |
In the Matter of Decusoft, LLC |
Decusoft |
25 |
FTC File No. 172 3171 Docket No. C-4628 |
In the Matter of Tru Communication, Inc. |
Tru |
26 |
FTC File No. 172 3172 Docket No. C-4629 |
In the Matter of Md7, LLC |
Md7 |
30 |
FTC File No. 152 3198 Docket No. C-4543 |
In the Matter of Jhayrmaine Daniels (d/b/a California Skate-Line) |
Jhayrmaine Daniels |
31 |
FTC File No. 152 3190 Docket No. C-4545 |
In the Matter of Dale Jarrett Racing Adventure, Inc. |
Dale Jarrett |
32 |
FTC File No. 152 3141 Docket No. C-4540 |
In the Matter of Golf Connect, LLC |
Golf Connect |
33 |
FTC File No. 152 3202 Docket No. C-4546 |
In the Matter of Inbox Group, LLC |
Inbox Group |
34 |
File No. 152 3187 Docket No. C-4542 |
In the Matter of IOActive, Inc. |
IOActive |
35 |
FTC File No. 152 3140 Docket No. C-4549 |
In the Matter of Jubilant Clinsys, Inc. |
Jubilant |
36 |
FTC File No. 152 3199 Docket No. C-4547 |
In the Matter of Just Bagels Manufacturing, Inc. |
Just Bagels |
37 |
FTC File No. 152 3138 Docket No. C-4548 |
In the Matter of NAICS Association, LLC |
NAICS |
38 |
FTC File No. 152 3201 Docket No. C-4544 |
In the Matter of One Industries Corp. |
One Industries |
39 |
FTC File No. 152 3137 Docket No. C-4550 |
In the Matter of Pinger, Inc. |
Pinger |
40 |
FTC File No. 152 3193 Docket No. C-4552 |
In the Matter of SteriMed Medical Waste Solutions |
SteriMed |
41 |
FTC File No. 152 3184 Docket No. C-4541 |
In the Matter of Contract Logix, LLC |
Contract Logix |
42 |
FTC File No. 152 3185 Docket No. C-4551 |
In the Matter of Forensics Consulting Solutions, LLC |
Forensics Consulting |
43 |
FTC File No. 152 3051 Docket No. C-4526 |
In the Matter of American Int'l Mailing, Inc. |
AIM |
44 |
FTC File No. 152 3015 Docket No. C-4525 |
In the Matter of TES Franchising, LLC |
TES |
45 |
FTC File No. 142 3036 Docket No. C-4459 |
In the Matter of American Apparel, Inc. |
American Apparel |
46 |
FTC File No. 142 3026 Docket No. C-4469 |
In the Matter of Fantage.com, Inc. |
Fantage |
47 |
FTC File No. 142 3017 Docket No. C-4461 |
In the Matter of Apperian, Inc. |
Apperian |
48 |
FTC File No. 142 3018 Docket No. C-4462 |
In the Matter of Atlanta Falcons Football Club, LLC |
Atlanta Falcons |
49 |
FTC File No. 142 3019 Docket No. C-4463 |
In the Matter of Baker Tilly Virchow Krause, LLP |
Baker Tilly |
50 |
FTC File No. 142 3020 Docket No. C-4464 |
In the Matter of BitTorrent, Inc. |
BitTorrent |
51 |
FTC File No. 142 3022 Docket No. C-4465 |
In the Matter of Charles River Laboratories, Int'l |
Charles River |
52 |
FTC File No. 142 3023 Docket No. C-4466 |
In the Matter of DataMotion, Inc. |
DataMotion |
53 |
FTC File No. 142 3024 Docket No. C-4467 |
In the Matter of DDC Laboratories, Inc., d/b/a DNA Diagnostics Center |
DDC |
54 |
FTC File No. 142 3028 Docket No. C-4470 |
In the Matter of Level 3 Communications, LLC |
Level 3 |
55 |
FTC File No. 142 3025 Docket No. C-4468 |
In the Matter of PDB Sports, Ltd., d/b/a the Denver Broncos Football Club, LLP |
Broncos |
56 |
FTC File No. 142 3030 Docket No. C-4471 |
In the Matter of Reynolds Consumer Products, Inc. |
Reynolds |
57 |
FTC File No. 142 3031 Docket No. C-4472 |
In the Matter of Receivable Management Services Corporation |
Receivable Mgmt |
58 |
FTC File No. 142 3032 Docket No. C-4473 |
In the Matter of Tennessee Football, Inc. |
Tennessee Football |
59 |
FTC File No. 102 3058 Docket No. C-4369 |
In the Matter of Myspace LLC |
Myspace |
60 |
FTC File No. 092 3184 Docket No. C-4365 |
In the Matter of Facebook, Inc. |
|
61 |
FTC File No. 092 3081 Civil Action No. 09-CV-5276 (C.D. Cal.) |
FTC v. Javian Karnani, and Balls of Kryptonite, LLC, d/b/a Bite Size Deals, LLC, and Best Priced Brands, LLC |
Balls of Kryptonite |
62 |
FTC File No. 102 3136 Docket No. C-4336 |
In the Matter of Google, Inc. |
|
63 |
FTC File No. 092 3137 Docket No. C-4282 |
In the Matter of World Innovators, Inc. |
World Innovators |
64 |
FTC File No. 092 3141 Docket No. C-4271 |
In the Matter of Progressive Gaitways LLC |
Progressive Gaitways |
65 |
FTC File No. 092 3139 Docket No. C-4270 |
In the Matter of Onyx Graphics, Inc. |
Onyx Graphics |
66 |
FTC File No. 092 3138 Docket No. C-4269 |
In the Matter of ExpatEdge Partners, LLC |
ExpatEdge |
67 |
FTC File No. 092 3140 Docket No. C-4281 |
In the Matter of Directors Desk LLC |
Directors Desk |
68 |
FTC File No. 092 3142 Docket No. C-4272 |
In the Matter of Collectify LLC |
Collectify |
ANNEX V
1.
Background
A.
DOT’s Privacy Authority
B.
Enforcement Practices
C.
DOT Legal Protections Benefiting EU Consumers
II.
EU-U.S. DPF Principles Enforcement
A.
Prioritizing Investigation of Alleged Violations
B.
Addressing False or Deceptive Participation Claims
C.
Monitoring and Making Public Enforcement Orders Concerning EU-U.S. DPF Violations
ANNEX VI
|
U.S. Department of Justice Criminal Division |
Office of Assistant Attorney General |
Washington, D.C. 20530 |
ANNEX VII
OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE OFFICE OF GENERAL COUNSEL
WASHINGTON, DC 20511
ANNEX VIII
List of abbreviations
AAA |
American Arbitration Association |
AG Regulation |
Attorney General Regulation on the Data Protection Review Court |
AGG-DOM |
Attorney General Guidelines for Domestic FBI Operations |
APA |
Administrative Procedure Act |
CIA |
Central Intelligence Agency |
CNSS |
Committee on National Security Systems |
Court of Justice |
Court of Justice of the European Union |
Decision |
Commission Implementing Decision pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework |
DHS |
Department of Homeland Security |
DNI |
Director of National Intelligence |
DoC |
U.S. Department of Commerce |
DoJ |
U.S. Department of Justice |
DoT |
U.S. Department of Transportation |
DPA |
Data Protection Authority |
DPF List |
Data Privacy Framework List |
DPRC |
Data Protection Review Court |
ECOA |
Equal Credit Opportunity Act |
ECPA |
Electronic Communications Privacy Act |
EEA |
European Economic Area |
EO 12333 |
Executive Order 12333 ‘United States Intelligence Activities’ |
EO 14086, the EO |
Executive Order 14086 ‘Enhancing Safeguards for US Signals Intelligence Activities’ |
EU-U.S. DPF or DPF |
EU-U.S. Data Privacy Framework |
EU-U.S. DPF Panel |
EU-U.S. Data Privacy Framework Panel |
FBI |
Federal Bureau of Investigation |
FCRA |
Fair Credit Reporting Act |
FISA |
Foreign Intelligence Surveillance Act |
FISC |
Foreign Intelligence Surveillance Court |
FISCR |
Foreign Intelligence Surveillance Court of Review |
FOIA |
Freedom of Information Act |
FRA |
Federal Records Act |
FTC |
U.S. Federal Trade Commission |
HIPAA |
Health Insurance Portability and Accountability Act |
ICDR |
International Centre for Dispute Resolution |
IOB |
Intelligence Oversight Board |
NIST |
National Institute of Standards and Technology |
NSA |
National Security Agency |
NSL |
National Security Letter(s) |
ODNI |
Office of the Director of National Intelligence |
ODNI CLPO, CLPO |
Civil Liberties Protection Officer of the Director of National Intelligence |
OMB |
Office of Management and Budget |
OPCL |
Office of Privacy and Civil Liberties of the Department of Justice |
PCLOB |
Privacy and Civil Liberties Oversight Board |
PIAB |
President’s Intelligence Advisory Board |
PPD 28 |
Presidential Policy Directive 28 |
Regulation (EU) 2016/679 |
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC |
SAOP |
Senior Agency Official for Privacy |
The Principles |
EU-U.S. Data Privacy Framework Principles |
U.S. |
United States |
Union |
European Union |