欧盟委员会通过欧盟-美国数据隐私框架的充分性决定（英）k-137页-WN7.pdf

《欧盟委员会通过欧盟-美国数据隐私框架的充分性决定（英）k-137页-WN7.pdf》由会员分享，可在线阅读，更多相关《欧盟委员会通过欧盟-美国数据隐私框架的充分性决定（英）k-137页-WN7.pdf（137页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、EN EN EUROPEAN COMMISSION Brussels,10.7.2023 C(2023)4745 final COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation(EU)2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (Text with EEA rel

2、evance)EN 1 EN COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation(EU)2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (Text with EEA relevance)THE EUROPEAN COMMISSION,Having regard to

3、the Treaty on the Functioning of the European Union,Having regard to Regulation(EU)2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data,and repealing Directive

4、 95/46/EC(General Data Protection Regulation)1,and in particular Article 45(3)thereof,Whereas:1.INTRODUCTION(1)Regulation(EU)2016/6792 sets out the rules for the transfer of personal data from controllers or processors in the Union to third countries and international organisations to the extent tha

5、t such transfers fall within its scope of application.The rules on international data transfers are laid down in Chapter V of that Regulation.While the flow of personal data to and from countries outside the European Union is essential for the expansion of cross-border trade and international cooper

6、ation,the level of protection afforded to personal data in the Union must not be undermined by transfers to third countries or international organisations3.(2)Pursuant to Article 45(3)of Regulation(EU)2016/679,the Commission may decide,by means of an implementing act,that a third country,a territory

7、 or one or more specified sectors within a third country,ensure(s)an adequate level of protection.Under this condition,transfers of personal data to a third country may take place without the need to obtain any further authorisation,as provided for in Article 45(1)and recital 103 of Regulation(EU)20

8、16/679.(3)As specified in Article 45(2)of Regulation(EU)2016/679,the adoption of an adequacy decision has to be based on a comprehensive analysis of the third countrys legal order,covering both the rules applicable to data importers and the limitations and safeguards as regards access to personal da

9、ta by public authorities.In its assessment,the Commission has to determine whether the third country in question guarantees a level of protection essentially equivalent to that ensured within the Union(recital 1 OJ L 119,4.5.2016,p.1.2 For ease of reference,a list of abbreviations used in this Decis

10、ion is included in Annex VIII.3 See recital 101 of Regulation(EU)2016/679.EN 2 EN 104 of Regulation(EU)2016/679).Whether this is the case is to be assessed against Union legislation,notably Regulation(EU)2016/679,as well as the case law of the Court of Justice of the European Union(the Court of Just

11、ice)4.(4)As clarified by the Court of Justice in its judgment of 6 October 2015 in Case C-362/14,Maximillian Schrems v Data Protection Commissioner5(Schrems),this does not require finding an identical level of protection.In particular,the means to which the third country in question has recourse for

12、 protecting personal data may differ from the ones employed in the Union,as long as they prove,in practice,effective for ensuring an adequate level of protection6.The adequacy standard therefore does not require a point-to-point replication of Union rules.Rather,the test is whether,through the subst

13、ance of privacy rights and their effective implementation,supervision and enforcement,the foreign system as a whole delivers the required level of protection7.Furthermore,according to that judgment,when applying this standard,the Commission should notably assess whether the legal framework of the th

14、ird country in question provides rules intended to limit interferences with the fundamental rights of the persons whose data is transferred from the Union,which the State entities of that country would be authorised to engage in when they pursue legitimate objectives,such as national security,and pr

15、ovides effective legal protection against interferences of that kind8.The Adequacy Referential of the European Data Protection Board,which seeks to further clarify this standard,also provides guidance in this regard9.(5)The applicable standard with respect to such interference with the fundamental r

16、ights to privacy and data protection was further clarified by the Court of Justice in its judgment of 16 July 2020 in Case C-311/18,Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems(Schrems II),which invalidated Commission Implementing Decision(EU)2016/125010 on a previ

17、ous transatlantic data flow framework,the EU-U.S.Privacy Shield(Privacy Shield).The Court of Justice considered that the limitations to the protection of personal data arising from U.S.domestic law on the access and use by U.S.public authorities of data transferred from the Union to the United State

18、s for national security purposes were not circumscribed in a way that satisfies requirements that are essentially equivalent to those under Union law,as regards the necessity and proportionality of such interferences with the right to data protection11.The Court of Justice also considered that no ca

19、use of action was available before a body which offers the persons whose data was transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter on the right to an effective remedy12.4 See,most recently,Case C-311/18,Facebook Ireland and Schrems(Sch

20、rems II)ECLI:EU:C:2020:559.5 Case C-362/14,Maximilian Schrems v.Data Protection Commissioner(Schrems),ECLI:EU:C:2015:650,paragraph 73.6 Schrems,paragraph 74.7 See Communication from the Commission to the European Parliament and the Council,Exchanging and Protecting Personal Data in a Globalised Worl

21、d,COM(2017)7 of 10.1.2017,section 3.1,pp.6-7.8 Schrems,paragraph 88-89.9 European Data Protection Board,Adequacy Referential,WP 254 rev.01.available at the following link:https:/ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614108.10 Commission Implementing Decision(EU)2016/1250 of 12 July

22、 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.Privacy Shield(OJ L 207,1.8.2016,p.1).11 Schrems II,paragraph 185.12 Schrems II,paragraph 197.EN 3 EN(6)Following the Schrems II judgment,the Commission entered

23、 into talks with the U.S.government with a view to a possible new adequacy decision that would meet the requirements of Article 45(2)of Regulation(EU)2016/679 as interpreted by the Court of Justice.As a result of these discussions,the United States on 7 October 2022 adopted Executive Order 14086 Enh

24、ancing Safeguards for US Signals Intelligence Activities(EO 14086),which is complemented by a Regulation on the Data Protection Review Court issued by the U.S.Attorney General(AG Regulation)13.In addition,the framework that applies to commercial entities processing data transferred from the Union un

25、der the present Decision the EU-U.S.Data Privacy Framework(EU-U.S.DPF or DPF)has been updated.(7)The Commission has carefully analysed U.S.law and practice,including EO 14086 and the AG Regulation.Based on the findings set out in recitals 9-200,the Commission concludes that the United States ensures

26、 an adequate level of protection for personal data transferred under the EU-U.S.DPF from a controller or a processor in the Union14 to certified organisations in the United States.(8)This Decision has the effect that personal data transfers from controllers and processors in the Union15 to certified

27、 organisations in the United States may take place without the need to obtain any further authorisation.It does not affect the direct application of Regulation(EU)2016/679 to such organisations where the conditions regarding the territorial scope of that Regulation,laid down in its Article 3,are ful

28、filled.2.THE EU-U.S.DATA PRIVACY FRAMEWORK 2.1 Personal and material scope 2.1.1 Certified organisations(9)The EU-U.S.DPF is based on a system of certification by which U.S.organisations commit to a set of privacy principles-the EU-U.S.Data Privacy Framework Principles,including the Supplemental Pri

29、nciples(together:the Principles)-issued by the U.S.Department of Commerce(DoC)and contained in Annex I to this Decision16.To be eligible for certification under the EU-U.S.DPF,an organisation must be subject to the investigatory and enforcement powers of the Federal Trade Commission(FTC)or the U.S.D

30、epartment of Transportation(DoT)17.The Principles 13 28 CFR Part 302.14 This Decision has EEA relevance.The Agreement on the European Economic Area(EEA Agreement)provides for the extension of the European Unions internal market to the three EEA States Iceland,Liechtenstein and Norway.The Joint Commi

31、ttee Decision incorporating Regulation(EU)2016/679 into Annex XI of the EEA Agreement was adopted by the EEA Joint Committee on 6 July 2018 and entered into force on 20 July 2018.The Regulation is thus covered by that agreement.For the purposes of the decision,references to the EU and EU Member Stat

32、es should thus be understood as also covering the EEA States.15 This Decision does not affect the requirements of Regulation(EU)2016/679 that apply to the entities(controllers and processors)in the Union transferring the data,for instance on purpose limitation,data minimisation,transparency and data

33、 security(see also Article 44 of Regulation(EU)2016/679).16 See in this respect Schrems,paragraph 81,in which the Court of Justice confirmed that a system of self-certification can ensure an adequate level of protection.17 Annex I,Section I.2.The FTC has broad jurisdiction over commercial activities

34、,with some exceptions,e.g.with respect to banks,airlines,the business of insurance and common carrier activities of telecommunications service providers(although the decision of the U.S.Court of Appeals for the Ninth Circuit of 26 February 2018 in FTC v.AT&T has confirmed that the FTC has jurisdicti

35、on over non-EN 4 EN apply immediately upon certification.As explained in more detail in recitals 48-52,EU-U.S.DPF organisations are required to re-certify their adherence to the Principles on an annual basis18.2.1.2 Definition of personal data and concepts of controller and agent(10)The protection a

36、fforded under the EU-U.S.DPF applies to any personal data transferred from the Union to organisations in the U.S.that have certified their adherence to the Principles with the DoC,with the exception of data that is collected for publication,broadcast or other forms of public communication of journal

37、istic material and information in previously published material disseminated from media archives19.Such information can therefore not be transferred on the basis of the EU-U.S.DPF.(11)The Principles define personal data/personal information in the same way as Regulation(EU)2016/679,i.e.as“data about

38、 an identified or identifiable individual that are within the scope of the GDPR received by an organization in the United States from the EU,and recorded in any form”20.Accordingly,they also cover pseudonymised(or“key-coded”)research data(including where the key is not shared with the receiving U.S.

39、organisation)21.Similarly,the notion of processing is defined as“any operation or set of operations which is performed upon personal data,whether or not by automated means,such as collection,recording,organisation,storage,adaptation or alteration,retrieval,consultation,use,disclosure or disseminatio

40、n and erasure or destruction”22.(12)The EU-U.S.DPF applies to organisations in the U.S.that qualify as controllers(i.e.as a person or organisation which,alone or jointly with others,determines the purposes and means of the processing of personal data)23 or processors(i.e.agents acting on behalf of a

41、 controller)24.U.S.processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles25.In addition,in the case of sub-processing,a processor must conclude a contract with the sub-p

42、rocessor guaranteeing the same level of protection as provided by the Principles and take steps to ensure its proper implementation26.2.2 EU-U.S.Data Privacy Framework Principles 2.2.1 Purpose limitation and choice common carrier activities of such entities).See also Annex IV,footnote 2.The DoT is c

43、ompetent to enforce compliance by airlines and ticket agents(for air transportation),see Annex V,under section A.18 Annex I,Section III.6.19 Annex I,Section III.2.20 Annex I,Section I.8.a.21 Annex I,Section III.14.g.22 Annex I,Section I.8.b.23 Annex I,Section I.8.c.24 See e.g.Annex I,Section II.2.b

44、and Section II.3.b and 7.d,which make clear that agents act on behalf of a controller,subject to the latters instructions and under specific contractual obligations.25 Annex I,Section III.10.a.See also the guidance prepared by the DoC,in consultation with the European Data Protection Board,under the

45、 Privacy Shield,which clarified the obligations of US processors receiving personal data from the Union under the framework.As these rules have not changed,this guidance/FAQ remains relevant under the EU-U.S.DPF(https:/www.privacyshield.gov/article?id=Processing-FAQs).26 Annex I,Section II.3.b.EN 5

46、EN(13)Personal data should be processed lawfully and fairly.It should be collected for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of processing.(14)Under the EU-U.S.DPF,this is ensured through different Principles.Firstly,under the Data Integri

47、ty and Purpose Limitation Principle,similarly as under Article 5(1)(b)of Regulation(EU)2016/679,an organisation may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorised by the data subject27.(15)Secondly,before usin

48、g personal data for a new(changed)purpose that is materially different but still compatible with the original purpose,or disclosing it to a third party,the organisation must provide data subjects with the opportunity to object(opt-out),in accordance with the Choice Principle28,through a clear,conspi

49、cuous and readily available mechanism.Importantly,this Principle does not supersede the express prohibition on incompatible processing29.2.2.2 Processing of special categories of personal data(16)Specific safeguards should exist where special categories of data are processed.(17)In accordance with t

50、he Choice Principle,specific safeguards apply to the processing of sensitive information,i.e.personal data specifying medical or health conditions,27 Annex I,Section II.5.a.Compatible purposes may include auditing,fraud prevention,or other purposes consistent with the expectations of a reasonable pe