A new legal mechanism to allow for transfers of personal data between the EU and the U.S. is now advancing after an October 7th, 2022 Executive Order was issued by U.S. President Biden (the “Executive Order”). The new mechanism is referred to as the EU-U.S. Data Privacy Framework (the “Framework”) and is intended to replace the now-defunct EU-U.S. Privacy Shield mechanism. Specifically, the Executive Order provides data protections that enables the potential creation of the Framework, which first debuted in a joint press conference in March 2022. Similar progress has also been made on an equivalent data transfer arrangement between the UK and U.S. governments. If realized and implemented, the Framework has the potential to lower legal barriers for personal data transfers between the EU and the UK, and the U.S.
The Scope of the Executive Order
In light of the Schrems II decision, the Executive Order seeks to accomplish two key objectives to allow for the creation of the Framework:
- impose restrictions on access by the U.S. government to data transferred from certain overseas jurisdictions (including from the EEA and the UK). Specifically, the Executive Order provides binding safeguards that limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security. Alleged extensive U.S. government access to EEA-originating personal data transferred under the Privacy Shield mechanism was a chief concern of the CJEU in Schrems II; and
- provide for improved legal redress for individuals resident in such jurisdictions who claim that their privacy rights have been infringed. Specifically, the Executive Order establishes an independent and impartial redress process, which includes a new Data Protection Review Court (“DPRC”) to investigate and resolve complaints regarding access to their data by U.S. national security authorities. The redress process will start with the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (“CLPO”) conducting an initial investigation of complaints received to determine whether the Executive Order’s enhanced safeguards or other applicable U.S. law were violated. Importantly, the results of this process will be binding on the U.S. Intelligence agencies.
Next Steps for the Framework
The Framework is not likely to be available for use by companies before the end of this year. This is because separate “adequacy decisions” will first need to be issued – following potentially protracted and uncertain governmental and legislative processes – by the European Commission and the UK government by reference to the new data protections afforded by the Executive Order; however, both the Commission and the UK government have welcomed the Executive Order.
Once “adequacy decisions” are issued by the European Commission and UK government, US companies can seek to be certified by the U.S. Department of Commerce under the Framework. US companies will be able to certify to the Framework by committing to comply with a detailed set of privacy obligations. While those obligations are not yet detailed, we expect that certain core GDPR principles will be among them, such as data minimization, purpose limitation, and certain data subject rights.