A new legal mechanism to allow for transfers of personal data between the EU and the U.S. is now advancing after an October 7th, 2022 Executive Order was issued by U.S. President Biden (the “Executive Order”). The new mechanism is referred to as the EU-U.S. Data Privacy Framework (the “Framework”) and is intended to replace the now-defunct EU-U.S. Privacy Shield mechanism. Specifically, the Executive Order provides data protections that enables the potential creation of the Framework, which first debuted in a joint press conference in March 2022. Similar progress has also been made on an equivalent data transfer arrangement between the UK and U.S. governments. If realized and implemented, the Framework has the potential to lower legal barriers for personal data transfers between the EU and the UK, and the U.S.
The EU General Data Protection Regulation (“EU GDPR”) and the UK General Data Protection Regulation (“UK GDPR” and collectively with the EU GDPR, the “GDPR”) places restrictions on personal data transfers to certain countries outside of the European Economic Area (“EEA”) and the UK.
An “adequacy decision” from the European Commission and comparable certification by the UK government are key mechanisms companies rely upon to comply with these GDPR restrictions. Specifically, “positive” “adequacy decisions” made by the European Commission can deem that either all data transfers to the relevant country, or transfers made under certain pre-approved data transfer mechanisms to the relevant country, are deemed to satisfy such GDPR restrictions. To illustrate, the European Commission’s “positive” “adequacy decision” for the EU-U.S. Privacy Shield allowed EEA-based companies to transfer – in compliance with the GDPR – personal data to U.S. based companies that had certified to the Privacy Shield program. However, the Privacy Shield “adequacy decision” was invalidated by the EU’s highest court – the Court of Justice of the European Union (the “CJEU”) – in 2020 in the Schrems II decision. In turn, since the Schrems II decision, companies that had relied on the Privacy Shield have had to use alternate data transfer mechanisms to comply with the EU GDPR.
The UK still has its own version of the EU GDPR – namely, the UK GDPR in place following its exit from the EU; and case law, such as the Schrems II decision issued before “Brexit” continue apply to the UK. Therefore, and despite Brexit, similar issues have continued to be experienced with respect to data flows from the UK to the U.S. to those outlined above.
The Scope of the Executive Order
In light of the Schrems II decision, the Executive Order seeks to accomplish two key objectives to allow for the creation of the Framework:
- impose restrictions on access by the U.S. government to data transferred from certain overseas jurisdictions (including from the EEA and the UK). Specifically, the Executive Order provides binding safeguards that limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security. Alleged extensive U.S. government access to EEA-originating personal data transferred under the Privacy Shield mechanism was a chief concern of the CJEU in Schrems II; and
- provide for improved legal redress for individuals resident in such jurisdictions who claim that their privacy rights have been infringed. Specifically, the Executive Order establishes an independent and impartial redress process, which includes a new Data Protection Review Court (“DPRC”) to investigate and resolve complaints regarding access to their data by U.S. national security authorities. The redress process will start with the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (“CLPO”) conducting an initial investigation of complaints received to determine whether the Executive Order’s enhanced safeguards or other applicable U.S. law were violated. Importantly, the results of this process will be binding on the U.S. Intelligence agencies.
Next Steps for the Framework
The Framework is not likely to be available for use by companies before the end of this year. This is because separate “adequacy decisions” will first need to be issued – following potentially protracted and uncertain governmental and legislative processes – by the European Commission and the UK government by reference to the new data protections afforded by the Executive Order; however, both the Commission and the UK government have welcomed the Executive Order. In FAQ’s released in response to the Executive Order, the European Commission called the measures in the Executive Order “significant improvements”. The UK Government has also welcomed the publication of the Executive Order saying that it “strengthens the safeguards and establishes new redress routes for UK data processed by US authorities”.
Once “adequacy decisions” are issued by the European Commission and UK government, US companies can seek to be certified by the U.S. Department of Commerce under the Framework. US companies will be able to certify to the Framework by committing to comply with a detailed set of privacy obligations. While those obligations are not yet detailed, we expect that certain core GDPR principles will be among them, such as data minimization, purpose limitation, and certain data subject rights.