Download IT & Data Protection 
BACKGROUND
The EU-U.S. Data Privacy Framework[2] (DPF) establishes a mechanism for transferring personal data from the EU to the U.S., ensuring adequate safeguards and protection as European legislation requires. Developed by the U.S. Department of Commerce in consultation with the European Commission, industry, and other stakeholders, the DPF aims to facilitate trade and commerce between the U.S. and EU, addressing the different approaches to privacy protection by the U.S. and EU.
KEY REQUIREMENTS
- Self-Certification: Organisations must self-certify adherence to the DPF Principles, publicly declare their commitment, disclose their privacy policies, and thoroughly implement them.[3]
- Data Privacy Framework List: The Department maintains a public list of self-certified organisations. Benefits are assured upon listing. Non-compliant organisations will be removed and must continue applying the Principles, provide “adequate” protection by other means, or return/delete the information.[4]
- Limitations and Exceptions: Adherence to Principles may be limited under certain conditions like complying with court orders or public interest requirements. Organisations are expected to opt for higher protection where possible.[5]
- Scope of Application: The Principles apply to all personal data transferred under the DPF, including human resources information in employment contexts.[6]
- Definitions and Obligations: The document defines personal data, processing, and the role of the data controller. It outlines the obligations regarding notice, choice, accountability for onward transfer, security, data integrity, purpose limitation, and access to personal data.[7]
- Enforcement and Liability: Robust mechanisms for compliance, recourse for affected individuals, and consequences for non-compliance are required. This includes independent recourse mechanisms, follow-up procedures for verifying privacy practices, and obligations to remedy non-compliance issues.[8]
IMPLICATIONS
- Operational Adjustments: Organisations must align their data handling and privacy policies with the DPF Principles.
- Legal and Regulatory Compliance: Non-compliance can result in removal from the Data Privacy Framework List, affecting the organisation’s ability to transfer data from the EU.
- International Data Flow: The DPF impacts data transfer strategies for businesses operating between the EU and the U.S., necessitating ongoing compliance monitoring.
CONSIDER
- Comprehensive Review of Practices: Review and update privacy policies and practices in line with DPF requirements.
- Continuous Monitoring and Compliance: Stay informed about developments in the DPF and ensure ongoing compliance with its Principles.
- Legal Consultation: Engage with legal experts to understand the implications and ensure alignment with the DPF and GDPR.
CONCLUSION
The EU-U.S. Data Privacy Framework presents significant developments for organisations involved in transatlantic data transfers. Adherence to its Principles is essential for compliance, operational continuity, and stakeholder trust. It is crucial for businesses, especially those with operations in Indonesia engaged in EU-U.S. data transfers, to understand and comply with the new framework to ensure seamless international operations. Even for businesses who do not operate in this particular market, it is well worth noting that EU regulations in Cyber Law, are often adopted as the industry standard for other nations considering similar legislation.
[1] Setyawati Fitrianggraeni holds the position of Managing Partner at Anggraeni and Partners in Indonesia. She also serves as an Assistant Professor at the Faculty of Law, University of Indonesia, and is currently pursuing a PhD at the World Maritime University in Malmo, Sweden. This article is co-authored by Sri Purnama, Junior Legal Research Analyst and Jericho Xafier Ralf, Junior Associate at Anggraeni and Partners.
[2] The Draft Regulation referenced in this document pertains to the version dated 7th October 2023, as obtained from the official website of the European Commission, accessible at Adequacy decision EU-US Data Privacy Framework_en.pdf (europa.eu). Please note that subsequent amendments or updates to the Draft Regulation may have occurred after this date. Readers are advised to consult the latest version of the document for the most current information.”
[3] The European Commission. “Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework”. Adequacy decision EU-US Data Privacy Framework_en.pdf (europa.eu), pp. 11, para. 44.
[4] Ibid., pp. 7, para. 28.
[5] Ibid., pp. 23, para. 88-89.
[6] Ibid., pp. 13, para. 52.
[7] U.S Department of Commerce, “EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES ISSUED BY THE U.S. DEPARTMENT OF COMMERCE”. EU-US Data Privacy Framework Principles (publishing.service.gov.uk). Accessed on 15 November 2023.
[8] Shoosmiths. “U.S Adequacy has arrived, does this change your international transfers strategy?”. EU-US Data Privacy Framework Principles (publishing.service.gov.uk), pp. 3. Accessed on 15 November 2023.
DISCLAIMER:
This disclaimer applies to the publication of articles by Anggraeni and Partners. By accessing or reading any articles published by Anggraeni and Partners, you acknowledge and agree to the terms of this disclaimer:
No Legal Advice: The articles published by Anggraeni and Partners are for informational purposes only and do not constitute legal advice. The information provided in the articles is not intended to create an attorney-client relationship between Anggraeni and Partners and the reader. The articles should not be relied upon as a substitute for seeking professional legal advice. For specific legal advice tailored to your individual circumstances, please consult a qualified attorney.
Accuracy and Completeness: Anggraeni and Partners strive to ensure the accuracy and completeness of the information presented in the articles. However, we do not warrant or guarantee the accuracy, currency, or completeness of the information. Laws and legal interpretations may vary, and the information in the articles may not be applicable to your jurisdiction or specific situation. Therefore, Anggraeni and Partners disclaim any liability for any errors or omissions in the articles.
No Endorsement: Any references or mentions of third-party organizations, products, services, or websites in the articles are for informational purposes only and do not constitute an endorsement or recommendation by Anggraeni and Partners. We do not assume responsibility for the accuracy, quality, or reliability of any third-party information or services mentioned in the articles.
No Liability: Anggraeni and Partners, its partners, attorneys, employees, or affiliates shall not be liable for any direct, indirect, incidental, consequential, or special damages arising out of or in connection with the use of the articles or reliance on any information contained therein. This includes but is not limited to, loss of data, loss of profits, or damages resulting from the use or inability to use the articles.
No Attorney-Client Relationship: Reading or accessing the articles does not establish an attorney-client relationship between Anggraeni and Partners and the reader. The information provided in the articles is general in nature and may not be applicable to your specific legal situation. Any communication with Anggraeni and Partners through the articles or any contact form on the website does not create an attorney-client relationship or establish confidentiality.
By accessing or reading the articles, you acknowledge that you have read, understood, and agreed to this disclaimer. If you do not agree with any part of this disclaimer, please refrain from accessing or reading the articles published by Anggraeni and Partners.
For further information, please contact:
WWW.AP-LAWSOLUTION.COM
P: 6221. 7278 7678, 72795001
H: +62 811 8800 427
Anggraeni and Partners, an Indonesian law practice with a worldwide vision, provides comprehensive legal solutions using forward-thinking strategies. We help clients manage legal risk and resolve disputes on admiralty and maritime law, complicated energy and commercial issues, arbitration and litigation, tortious claims handling, and cyber tech law.
S.F. Anggraeni
Managing Partner
Sri Purnama
Junior Legal Research Analyst
Jericho Xafier Ralf
Junior Associate
