Who doesn't like a good Friday afternoon development — especially if it is not a data breach.

This time, the news came from EU member states as they approved the European Commission's adequacy decision supporting the EU-U.S. Data Privacy Framework. The decision took effect 11 July.

Organizations can begin referring to the DPF in transfer impact assessments required under standard contractual clauses. They can also acknowledge changes the framework brings to U.S. systems on government access practices and judicial redress. A transition period to update privacy notices and for other necessary preparation should be granted to organizations that remained certified to the EU-U.S. Privacy Shield.

Since reaching a political agreement in March 2022, the trans-Atlantic partners had been working toward putting in place all the elements needed to not only to cement the DPF, but more fundamentally, ensure it would live up to the expectations of privacy professionals, concerned individuals and ultimately — let's face it — judges of the Court of Justice of the European Union. Only time will tell how sustainable the DPF is, how strong buy-in by privacy professionals is, and how satisfied concerned individuals will be.

Regardless, this decision is a strong political signal on at least two accounts. First, it shows the EU-U.S. partnership can still deliver when political will is there despite spicy discussions at times on digital policy and sovereignty postures — remember the deal was announced by European Commission President Ursula von der Leyen and U.S. President Joe Biden themselves. Second, it furthers a notion of reciprocity in the EU approach of adequacy.

On the notion of reciprocity, perhaps the first step was the mutual adequacy decision the EU reached with Japan. The DPF is very different in nature but one important piece to the puzzle was the U.S. Department of Justice designating the EU, its member states and European Economic Area countries as providing "appropriate safeguards in the conduct of signals intelligence activities for United States persons' personal information that is transferred from the United States to the territory."

Some member states' practices and lack of transparency have raised eyebrows over the years but have not been the subject of scrutiny at a level similar to that of third countries in the context of adequacy discussions. It will be interesting to see whether and how some civil society groups leverage this designation by the U.S. to look under the hood.

Elsewhere:

  • The European Commission just released the European Innovation Scoreboard 2023 and numbers are good. The report captures an improved innovation performance in 25 member states. Top member states innovators are in Denmark, Sweden and Finland with Romania and Bulgaria lagging top of the list.
  • The text for the Data Governance Act entered into force in June 2022 and there is still some work to do. EU member states have to designate competent authorities by the same timeline and little is transpiring about that designation across the continent. The European Commission is also setting up the new European Data Innovation Board, a 40-member advisory body on ensuring harmonized practices and guidelines on the implementation of the DGA across the EU/EEA. The commission just closed a call for application for members, which will seat alongside member states representatives and other authorities such as EDPB, EDPS and the EU cyber agency ENISA). It is looking for experience in data access and sharing, standardization and interoperability for data sharing, data-based innovation with startups.
  • The update of the second Payment Services Directive is now underway. Since 2015, the PSD2 set out rules for all retail payments in the EU — euro and non-euro, domestic and cross-border. The proposed update refreshed the rules to better combat fraud and improve the functioning of open banking. It also aims to improve consumer rights, by a.o. giving full control to customers over who accesses their data and for what data sharing purpose, standardizing customer data and the technical interfaces, and setting clear liability regimes for data breaches and dispute resolution mechanisms.
  • The next IAPP Data Protection Intensive: UK will run on 28-29 Feb. 2024 The call for proposals is open until 20 Aug. Registration is still open for the Data Protection Intensive: Germany (Munich, 13-14 Sept.) and the Europe Data Protection Congress (Brussels, 15-16 Nov.). Further information is available on the IAPP website.

Comments, suggestions, constructive criticism? iroccia@iapp.org