Photo of Jasmine Agyekum

Jasmine Agyekum

Jasmine Agyekum advises clients on a broad range of technology, AI, data protection, privacy and cybersecurity issues. She focuses her practice on providing practical and strategic advice on compliance with the EU and UK General Data Protection Regulations (GDPR), EU e-Privacy laws and the UK Data Protection Act. Jasmine also advises on a variety of policy proposals and developments in Europe, including on the EU’s proposed Data Governance Act and AI Regulation.

Jasmine’s experience includes:

  • Advising a leading technology company on GDPR compliance in connection with the launch of an ad supported video on demand and live streaming service.
  • Advising global technology companies on the territorial application of the GDPR and EU Member State data localization laws.
  • Representing clients in numerous industries, including, life sciences, consumer products, digital health and technology and gaming, in connection with privacy due diligence in cross-border corporate mergers & acquisitions.
  • Advising clients on responding to data breaches and security incidents, including rapid incident response planning and notifications to data protection authorities and data subjects.

Jasmine’s pro bono work includes providing data protection advice to a mental health charity in connection with their launch of a directory of mental health and wellbeing support to children and working with a social mobility non-profit organization focused on widening access to opportunities in the law to individuals from various socio-economic backgrounds.

On July 10, 2023, the European Commission adopted its adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”). The decision, which took effect on the day of its adoption, concludes that the United States ensures an adequate level of protection for personal data transferred from the EEA to companies certified to the DPF. This blog post summarizes the key findings of the decision, what organizations wishing to certify to the DPF need to do and the process for certifying, as well as the impact on other transfer mechanisms such as the standard contractual clauses (“SCCs”), and on transfers from the UK and Switzerland.

Background

The Commission’s adoption of the adequacy decision follows three key recent developments:

  1. the endorsement of the draft decision by a committee of EU Member State representatives;
  2. the designation by the U.S. Department of Justice of the European Union and Iceland, Liechtenstein, and Norway (which together with the EU form the EEA) as “qualifying states,” for the purposes of President Biden’s Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”). This designation enables EU data subjects to submit complaints concerning alleged violations of U.S. law governing signals intelligence activities to the redress mechanism set forth in the Executive Order and implementing regulations (see our previous blog post here); and
  3. updates to the U.S. Intelligence Community’s policies and procedures to implement the safeguards established under EO 14086, announced by the U.S. Office of Director of National Intelligence on July 3, 2023.

The final adequacy decision, which largely corresponds to the Commission’s draft decision (see our prior blog post here), concludes “the United States … ensures a level of protection for personal data transferred from the Union to certified organisations in the United States under the EU-U.S. Data Privacy Framework that is essentially equivalent to the one guaranteed by [the GDPR]” (para. 201).

Key Findings of the Decision

In reaching the final decision, the Commission confirms a few key points:Continue Reading European Commission Adopts Adequacy Decision on the EU-U.S. Data Privacy Framework