October 7, 2022
President Biden Issues Executive Order on New EU-US Data Privacy Framework
5 Min Read
On October 7, 2022, President Joe Biden issued an Executive Order on the new EU-US Data Privacy Framework (EU-US DPF) which, if approved in the EU, would allow for the enhanced protection of personal information transferred between the US and the EU. The Executive Order follows an agreement in principle on the transfer framework which was announced in March 2022 by the President of the European Commission, Ursula von der Leyen, and marked the first formal step in adopting a new mechanism for transatlantic data flows.
“Transatlantic data flows are critical to enabling the $7.1 trillion EU-U.S. economic relationship. The EU-U.S. DPF will restore an important legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union raised in striking down the prior EU-U.S. Privacy Shield framework as a valid data transfer mechanism under EU law.”
Since the invalidation of the EU-US Privacy Shield in 2020 as a result of the Schrems II case, organizations have had to navigate alternative measures to ensure that personal data being transferred from the EU to the US has adequate and essentially equivalent levels of protection. Importantly, the new EU-US DPF includes a binding mechanism for individuals to seek redress, a factor that was critical in the CJEU’s Schrems II decision. While an adequacy decision for this new framework must still be reviewed and adopted by the European Commission, it marks a movement towards more legal certainty for organizations that rely on moving data from the EU to the US.
What does the new framework mean?
The Executive Order issued today highlights several key factors of the framework and aims to alleviate the concerns raised by the Schrems II decision. The EU-US DPF will add further safeguards that include requiring US signals intelligence activities are only conducted in pursuit of defined national security objectives. The framework would ensure that these activities are only conducted where necessary and proportionate to advance valid intelligence priorities.
Additionally, the framework includes requirements for the handling of personal information collected by US signals intelligence activities and extends the responsibility for remediating non-compliance to legal, oversight, and compliance officials. As a result of the Executive Order, the US Intelligence Community will be required to update their policies and procedures to reflect these new safeguards.
The CJEU highlighted the lack of access for EU data subjects to legal redress in cases where their personal data was intercepted in US intelligence efforts, an area that has been addressed in the new EU-US DPF by the creation of a multi-layer redress mechanism for applicable individuals.
This mechanism can be used in cases where personal information that has been collected through US signals intelligence was collected or handled by the US in violation of applicable privacy laws, including the enhanced safeguards introduced by the EU-US DPF. The first layer of the redress mechanism provides the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) the power to conduct investigations into complaints to determine whether non-compliance with the EU-US DPF or other US laws has occurred.
The second layer of the review empowers the Attorney General to establish a Data Protection Review Court (DPRC) which will provide an independent review of the CLPO’s decision. The DPRC will be formed of Judges appointed from outside the US government that have relevant experience in data privacy and national security. The Attorney General today issued accompanying regulations on the establishment of the DPRC.
The CLPO will also be responsible for establishing an annual review of the Intelligence Community policies and procedures to ensure they align with the EU-US DPF.
How will this impact organizations’ data operations?
In the long-term, the EU-US DPF aims to provide more legal certainty for organizations transferring personal data from the EU to the US, while organizations can look forward to using a more streamlined transfer solution. It will also restore an “important, accessible, and affordable data transfer mechanism”, where the EU-US Privacy Shield once was but with enhanced protections for personal information and greater access to redress in cases of non-compliance.
In the short term, the announcement aims to address the concerns of EU citizens in the fallout from the Schrems II case. However, the Executive Order must make its way through the legislative process in the EU, which will rely upon an adequacy decision being issued by the European Commission. It could take up to six months for this decision to be made, so any prospect of the EU-US DPF entering into effect in 2022 is slim but at the latest would be seen in March 2023.
In the meantime, organizations should consider that while the EU-US DPF may remove the need to conduct a Transfer Impact Assessment (TIA) in the case of transfers to the US, transfers from the EU to other third countries will still need to be assessed. Therefore, ensuring that your data map is up to date with current activities and vendors is essential to remain compliant with the GDPR.
Take a look at OneTrust’s range of solutions for dealing with data transfers to third countries, including visualization of international data flows, access to vendor transparency reports, and pre-filled TIAs from the OneTrust platform.