White House Issues Executive Order on EU-U.S. Data Privacy Framework
On October 7, 2022, President Biden signed the “Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities” (the E.O.), which outlines the actions the United States will take to implement the commitments made under the European Union-U.S. Data Privacy Framework (EU-U.S. DPF) announced in March 2022. The E.O. and EU-U.S. DPF is a welcome change for U.S. companies grappling with compliance requirements under the EU’s far-reaching data privacy law, the General Data Protection Regulation (GDPR).
The GDPR requires a legal basis to legitimize transfers of the personal data of EU data subjects outside of the EU. Many companies previously relied upon the EU-U.S. Privacy Shield mechanism for data transfers between the EU and U.S. However, the Court of Justice of the European Union, in its Schrems II decision, invalidated the U.S. Privacy Shield as a legal basis for such transfers because the court found that U.S. privacy protections were not equivalent to EU standards for data privacy and protection.
As stated in its accompanying fact sheet, the E.O. seeks to remedy deficiencies by adding further safeguards for U.S. signals intelligence activities, including “requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.” The E.O. also creates a mechanism for individuals to obtain independent and binding review and redress of claims that their personal information was collected in violation of these safeguards.
Many of the new standards outlined in the E.O. are effective immediately, and companies may want to document these enhanced safeguards in transfer impact assessments. However, companies must still rely upon other legal bases for transfers of personal data from the EU to the U.S., such as the standard contractual clauses, while we await an adequacy decision from the European Commission. It is anticipated this process may take until March 2023, and any adequacy decision will likely be challenged in court.
For more information on this E.O., contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.