3 minute read

US executive order re US-EU data transfers

Next Article
Leap

Leap

The question: Post-Schrems II, what does the new US Executive Order mean for personal data transfers between the EU and US?

The key takeaway

An Executive Order was signed by President Biden which represents the next step in implementing a new EU-US data transfer mechanism. The European Commission will now need to take a formal Adequacy Decision, although this may well be challenged in particular by Max Schrems.

The background

The EU General Data Protection Regulation (GDPR) restricts transfer of personal data from the EU to third countries. Previously, the EU-US Privacy Shield allowed for such transfers to recipients in the US. However, in 2020, the European Court of Justice (ECJ) ruled in the Schrems II case that the Privacy Shield was invalid and could no longer be used as a legal basis for data transfers. As this decision was made prior to Brexit, it also applies in the UK in the context of the UK GDPR.

In March 2022, the European Commission and the US announced their agreement on a new Trans-Atlantic Data Privacy Framework (the Framework) which sets out a range of measures to address the concerns raised by the ECJ in Schrems II.

The development

On 7 October 2022, President Biden signed an Executive Order setting out the steps the US will take to meet its obligations under the Framework.

The Executive Order provides protections for personal data received in the US including new safeguards limiting the US government and intelligent services’ access to personal data. US officials will only be able to access what is “necessary and proportionate” to protect national security.

The Executive Order also provides remedies for individuals whose privacy rights are breached through an independent and impartial redress process. This includes the establishment of a new Data Protection Review Court to review complaints against US national security authorities who access personal data improperly. The Court will have various powers including ordering companies to delete personal data.

The results of the redress process will be binding on US intelligence services. The European Commission will now need to adopt a formal Adequacy Decision. The process typically takes six months.

However, the privacy activist behind the Schrems II case, Max Schrems, has said that the Executive Order does not satisfactorily address the issues of the former Privacy Shield. Schrems said he will likely challenge any Adequacy Decision by applying for an injunction in a national court against a company that relies on the adequacy decision.

Post-Brexit, data transfers out of the UK are subject to the UK GDPR and the UK’s own Adequacy Decisions. The UK Government has confirmed that it is separately working towards a new Adequacy Agreement in respect of UK-US transfers.

Why is this important?

A Data Adequacy arrangement between the US and EU would remove the need for additional safeguards to be put in place, typically Standard Contractual Clauses

(SCCs) or Binding Corporate Rules, which are costly and time-consuming to agree. Therefore, the issuing of the Executive Order is welcome news for businesses looking for a more streamlined way to transfer data to the US.

Any practical tips?

While this is a major development, we still await the European Commission’s Adequacy Decision. If the Adequacy Decision is passed, it would still be prudent to continue as per normal (eg by using the SCCs) until it becomes clear if and how effective Mr Schrems’s challenge may be – noting of course that his previous attacks (on both the Privacy Shield and the Safe Harbour before it) were both effective in killing them off.

Article by Euan Temple

This article is from: