Swedish Privacy Watchdog Advises Business on EU-US Data Privacy Framework
The Swedish Data Protection Authority responded Monday to what it said were many questions about personal data transfers to the U.S. It noted that the 2023 EU-U.S. data privacy framework (DPF) permits trans-Atlantic data flows. A key factor underlying the European Commission's adequacy decision that permits such data transfers was the creation of the U.S. Privacy and Civil Liberties Oversight Board (PCLOB).
Sign up for a free preview to unlock the rest of this article
However, the Trump Administration's recent decision to fire most of the board's members (see 2502250052) means the PCLOB no longer complies with the adequacy decision, creating questions about whether and, if so, how the decision might be affected.
The EC is charged with monitoring developments in countries with adequacy decisions, the Swedish authority said. If there's information showing that adequate protection for Europeans' personal data can no longer be ensured, the EC could revoke, amend or repeal the decision; and the European Court of Justice could also annul the adequacy decision.
In the absence of such actions, the authority said, the adequacy decision stands, and companies that the DPF covers may continue sending personal data to the U.S. Other changes in the U.S. won't automatically lead to the adequacy decision being canceled, but the EC will continue monitoring the situation, the authority said.
In the meantime, companies should keep up-to-date on developments around the adequacy decision and be aware of other vehicles for transferring personal data to the U.S., the watchdog said. It promised to notify businesses immediately if changes occur.