Third time lucky? New EU-US Data Privacy Executive Order Signed

Last week President Biden signed an Executive Order to implement the agreement in principle reached in March on a new EU-US Data Privacy Framework. This is the third attempt at establishing a set of principles to govern transfers of personal data from the EU to the US after both the Safe Harbor and Privacy Shield mechanisms were invalidated, following legal challenges brought by Austrian privacy activist Max Schrems.

The Executive Order introduces two key changes:

1. It places substantive limitations on surveillance by adding safeguards for U.S. signals intelligence activities (including requiring that they be conducted only in pursuit of defined national security objectives) and mandating data handling requirements. The U.S. Intelligence Community is further required to update its policies and procedures to reflect these changes.
2. It creates a new redress mechanism for individuals to investigate and resolve complaints regarding access to their data by US national security authorities. This has two layers:
   1. a Civil Liberties Protection Officer (CLPO) to investigate complaints to see if the new safeguards or other U.S. laws have been violated; and
   2. the establishment of a Data Protection Review Court to provide independent and binding review of the CLPO’s decisions.

These changes seek to address the main issues raised in the Schrems II judgment, namely that existing US legislation did not include adequate limitations on surveillance activities or effective methods for individuals to seek judicial redress.

The European Commission have set out a helpful Q&A explaining what comes next. The plan is to propose a draft adequacy decision for consideration by EU institutions with a view to adopting a final decision, which will enable the free and safe flow of data to US companies certified under the new framework. The Commission has expressed its belief that the safeguards and redress mechanism within the Executive Order “provide a durable and reliable basis for transatlantic data flows”. 

Early indications suggest that we may have an adequacy decision from the Commission within 6 months. Notably, an equivalent decision from the UK Government may come sooner, with the government signalling its intent to lay adequacy regulations in Parliament in early 2023. Until an adequacy decision is achieved, the Commission has reminded companies of existing tools that may be utilised for international transfers, highlighting the “Standard Contractual Clauses” and accompanying requirements.

Of course, it may not all be plain sailing from here. Notably noyb, the privacy non-profit led by Max Schrems, has already issued a first reaction, questioning whether the Executive Order does enough to ensure that surveillance is proportionate or if the Data Protection Review Court is capable of “judicial redress”, given that it will be a body within the US government’s executive branch rather than a “Court” under the US Constitution. noyb further expressed surprise that the Commission did not request that the “Privacy Shield Principles” under the new US framework be aligned with GDPR. noyb has promised to analyse the documentation associated with the Executive Order and Max Schrems has suggested “it will be back to the CJEU sooner or later”. Given Schrems’ track record in orchestrating the repeal of US transfer mechanisms, we should perhaps remain cautious over the potential for the new framework to be the ‘silver bullet’ that ends the uncertainty over US transfers.