On 7 October 2022, President Joe Biden signed an Executive Order (the “EO”), which sets out the steps the US will take to implement a new EU-US Data Privacy Framework (the “Framework”) – a development that has been long-awaited by organisations that transfer data between the EU and US. This is the third attempt at establishing a set of principles to govern transfers of personal data from the EU to the US after both the Safe Harbour and Privacy Shield mechanisms were invalidated, following legal challenges brought by privacy activist Max Schrems (see previous updates here and here).
The content of the Executive Order
- adds a new set of rules and binding safeguards for US intelligence authorities, requiring that activities be conducted only in pursuit of defined national security objectives whilst considering the privacy and civil liberties of all persons, regardless of nationality or country of residence.
- provides handling requirements for personal information collected through intelligence activities.
- introduces a two-step redress mechanism - data subjects in ‘qualifying states’, who believe their data has been processed in violation of applicable US law (including the enhanced safeguards in the EO), will be able to:
- in the first instance, complain to The Director of National Intelligence’s Civil Liberties Protection Officer (CLPO) who will carry out the initial investigation and remediation; and
- as a second step, apply for a review of any CLPO decision to a newly established independent Data Protection Review Court (DPRC). Judges with experience in data protection and national security will be appointed from outside the US government and, importantly, the DPRC’s decisions will be independent and binding.
- calls on the Privacy and Civil Liberties Oversight Board to review intelligence community policies and procedures to ensure that they are consistent with the EO and to conduct an annual review of the redress process, including to review whether the US intelligence community has fully complied with determinations made by the CLPO and the DPRC.
The EO and the Framework form the basis for the European Commission to formally adopt a new adequacy decision under the EU GDPR, a process that will take around six months (March 2023). Until an adequacy decision is achieved, the European Commission has reminded companies of existing tools that may be utilised for international transfers, such as the Standard Contractual Clauses and Binding Corporate Rules.
The White House seems confident that the steps set out in the EO will address the concerns raised from Schrems II and satisfy the European Commission. However, Max Schrems has suggested that noyb or another privacy group could make another challenge if they do not consider it to be in line with EU law.
What does this mean for UK-US data transfers?
The Framework will not apply to transfers from the UK to the US. The UK has previously announced that the US is a priority for an adequacy partnership.
Whilst it is indicated that there may be an adequacy decision from the European Commission within 6 months (March 2023), the UK Government may issue an equivalent decision even sooner, with the government signalling its intent to lay adequacy regulations in Parliament in early 2023. Demonstrating its commitment to progressing the discussions on adequacy, on the same day the EO was published, the UK government published a US-UK Joint Statement on a New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy. The Statement announced "significant progress on UK-US data adequacy discussions" and set out the government's intention to “work expediently to conclude its assessment, with the aim of issuing an adequacy decision that will restore a stable and reliable mechanism for UK-US data flows”.
Written by Callum Payne and Olivia Ward