The United States is adequate, at least according to a draft opinion on the EU-U.S. Data Privacy Framework.

Here is a look at what the opinion says, and what U.S. companies involved in EU-U.S. transfers should be doing now.

What has happened:

• The new EU-U.S. Data Privacy Framework Principles, including the Supplemental Principles, are here in an updated form.
• Companies are required to apply the Principles to all personal data transferred in reliance on the EU-U.S. DPF after they enter the EU-U.S. DPF.

Overall to do:

• Companies should review the principles and start addressing any gaps in their compliance.

Why now if it’s still in draft form?

• Because it is unlikely that the principles will change in a way that makes them less stringent. They may become more stringent if EDPB comments require it to more closely align with GDPR.
• And because even in this format there is a lot of work to do, even for companies that certified under Privacy Shield (and definitely for those that did not).

Key changes and what you need to do:

1) Not Your Grandmother's Personally Identifiable Information (PII):

The definition of personal data/information is identical to GDPR, and this is way broader than PII for data breach purposes. (It is similar to the new U.S. privacy laws.)

Regarding public records:

• The principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability also apply to personal data from public records (i.e., those records kept by...

Read Full Story: https://news.google.com/__i/rss/rd/articles/CBMiUWh0dHBzOi8vd3d3Lmpkc3VwcmEuY...