New Developments in EU-US Data Transfers

Friday 25th November, 2022

An Executive Order (“EO”) was signed by President Biden on 7 October 2022, setting out the practical steps the US will take to support their commitments under the EU-US Data Privacy Framework, announced in March 2022.

International personal data transfers must have “adequate safeguards” in place, according to the EU and UK GDPRs. The EU and UK have designated countries which already have “adequate” data protection rules so personal data can flow freely to those destinations. However, they do not currently recognise that the US has these safeguards in place.

Previous schemes, such as the “Privacy Shield”, failed after being challenged by data activist Max Schrems in the Court of Justice of the European Union (“CJEU”) (see “Managing Cross Border Data Transfers” for more information on the Schrems II case), and the EO aims to address the issues raised in this judgment.

Additional safeguards

The EO sets out additional safeguards against US signals intelligence activities by mandating that these activities:

  • only be carried out in support of clearly defined national security objectives;
  • take into consideration the rights to privacy and civil liberties of all individuals, regardless of nationality or place of residence; and
  • must be conducted in a proportionate manner and only when necessary to advance a valid intelligence objective.

The EO also establishes guidelines for the management of personal data gathered during signals intelligence activities and expands the duties of legal oversight and compliance officials to guarantee that appropriate steps are taken to address any instances of non-compliance. As part of these new rules, the US Intelligence Community must also update their policies and procedures to reflect these changes.

The Data Protection Review Court (“DPRC”)

One major area of contention for the CJEU was the lack of a competent, non-political US court and complaints procedure for individuals outside the US. Whereas the EO has now established a multi-tiered framework, including the new DPRC, to allow residents of qualifying states and regional economic integration organisations to obtain an independent and binding review and redress.

What happens next?

Following the signing of the EO, the European Commission will now prepare a draft adequacy decision and then begin its adoption procedure, with the hope to have it ratified by March 2023.

The adoption procedure for an adequacy decision consists of several steps, including getting an opinion from the European Data Protection Board (“EDPB”) and approval from a committee comprised of EU Member State representatives.

Furthermore, the European Parliament has the right to scrutinise adequacy decisions. In these negotiations, the European Commission’s goal has been to resolve the issues raised in the Schrems II ruling by the CJEU and to create a solid and trustworthy legal foundation for transatlantic data transfers.

The protections outlined in the EO reflect this, particularly regarding the creation of the new redress mechanism and the substantive restriction on the access to data by US national security authorities, ensuring that activities are necessary and proportionate.

What does this mean moving forward?

If the EU adequacy decision is adopted, then personal data can once again flow freely from the EEA to the US, subject to compliance with any conditions in the adequacy decision.

However, the EU adequacy decision will not apply to the UK. In a joint statement from the UK and US Governments, the parties announced that they had made significant progress relating to the UK-US data protection adequacy discussions. The UK Government has stated that they are aiming to expediently conclude their adequacy decision, and the US have declared that they intend to designate the UK as a qualifying state under the EO. If the EU adopts an adequacy decision for the US, it is inevitable the UK will as well.

It is important to remember that an adequacy decision is not the only tool available for international personal data transfers. The most used mechanism for transferring personal data from the EU or UK is Standard Contractual Clauses (“SCC”), which companies can include in their commercial contracts.

Data activist Max Schrems has already stated that he, and the group he leads (None of Your Business), will challenge the proposed EU adequacy decision, paying particular attention to the nature of the DPRC. Schrems does not believe that the EO demonstrates a significant improvement from the previous regimes and thinks that the CJEU will hold a stricter opinion than the European Commission.

Practical implications for businesses

Companies operating or doing business in the US should keep a close watch on developments over the coming months and be ready to update their procedures and contracts should the EU and UK adequacy decisions be implemented.


Articles by Chris Mooney