What should organisations be doing now with respect to transfers of personal data from the EEA/UK to the US? It will also serve the same purpose in respect of the UK Government’s assessment of UK to US transfers. The EO does however pave the way for the European Commission to begin its adequacy assessment of transfers to the US for companies that already adhere to the Privacy Shield (as it is amended) by addressing the two key points raised by the CJEU. No, the EO itself does not replace the invalidated Privacy Shield nor act as an adequacy finding. Is the EO an “Adequacy Decision” enabling transfers from the EEA/UK to the US? The safeguards and redress mechanism are summarised in greater detail in the annex of this blogpost. The redress mechanism is only available to data subjects in countries designated as “qualifying states” by the US Attorney General. Decisions from both the CLPO and DPRC are binding on US intelligence authorities. At the second tier, the CLPO’s decision can be referred to the Data Protection Review Court ( DPRC), which the EO mandates the US Attorney General to establish. At the first tier, data subjects can, through an appropriate public authority, lodge a complaint with the newly-created independent Civil Liberties Protection Officer of the Office of the Director of National Intelligence ( CLPO).
0 Comments
Leave a Reply. |