The agreement on a new EU-U.S. data privacy framework between EU Commission President Ursula Von Der Leyen and U.S. President Joe Biden had already been announced on 25 March 2022 (for background, please refer to our previous article The EU-US Privacy Shield: Third Time’s a Charm? – Mamo TCV). However, the stability and longevity of the agreement was questioned by Austrian privacy activist Max Schrems who sent an open letter to stakeholders as a warning that the new framework risks being declared invalid, and consequently being struck down by the CJEU, should no reforms to U.S. law take place to ensure legal certainty.
On the 7th of October 2022, President Biden signed an Executive Order implementing the commitments made by the U.S. in the agreement which was announced earlier in March. The Executive Order provides binding safeguards which limit the U.S. intelligence authorities’ access to data in accordance with what is necessary and proportionate to protect national security. It also establishes an independent and impartial redress mechanism, consisting of a new Data Protection Review Court which shall investigate and take on complaints concerning data access exercised by U.S. national security authorities.
As opposed to the Privacy Shield, which had been declared invalid by the ECJ, the Executive Order has made significant improvements in relation to governmental data access, and U.S. companies have certain obligations to adhere to in relation to the importation of personal data from the EU. Moreover, the Executive Order introduces a two-tier redress mechanism, with the first layer giving individuals located in the EU the opportunity to file a complaint with the ‘Civil Liberties Protection Officer’; and the second layer providing such individuals with the opportunity to appeal the decision given by such Officer before the new Data Protection Review Court, which shall be composed of qualified members who cannot take instructions from the government. The Review Court will have specific powers, such as ordering the deletion of personal data where a violation of the safeguards provided in the Executive Order is found.
Given the adoption of the Executive Order, the European Commission may now proceed to propose an adequacy decision, which will be subject to the European Parliament’s right of scrutiny, and after which the Commission can adopt the final adequacy decision. After its adoption, the United States would be considered ‘whitelisted’ and data may then flow freely and safely between the EU and the U.S.
For the moment, companies have other options which they may avail themselves of to transfer data from the EU to third countries, including the United States, such as inserting the EU Commission’s model clauses (or ‘standard contractual clauses’) in their commercial contracts (for more information, please refer to our earlier article: Deadline for Third Country Personal Data Transfers: EU Standard Contractual Clauses.
For further updates on the above and other data protection matters please feel free to subscribe to our newsletter and/or follow us on social media.