President Biden issued an executive order adopting the EU-US Data Privacy Framework on October 7, 2022. This framework, announced in March, will replace the Privacy Shield program, which the EU Court of Justice rejected in July 2020 with its Schrems II judgement. According to that judgement, the United States did not offer a level of data protection that was “essentially equivalent” to that given by the EU because signal intelligence monitoring by U.S. agencies was deemed too extensive and EU citizens were not provided with appropriate remedies.
The new framework is designed to make cross-border transfers of personal information from the EU to the US easier in accordance with the EU’s General Data Protection Regulation (GDPR). The presidential order explicitly concerns how the US intelligence community handles personal data of EU citizens and reacts to EU resident complaints. The executive order, which details the pledges made in the March statement, provides the foundation for the EU to continue with a “adequacy” judgment under the GDPR respecting cross-border data transfers. With these extra safeguards in place, a revamped cross-border transfer framework is likely to be approved over the next few months.
According to the White House Fact Sheet that accompanied the March announcement, the new framework requires that U.S. intelligence agencies conduct data-gathering operations that are necessary to advance legitimate national security objectives and do not have a disproportionate impact on individual privacy and civil liberties. The independent Privacy and Civil Liberties Oversight Board is in charge of assessing the application of the new principles and processes by the US intelligence community, including the result of redress decisions, and performing yearly compliance checks.
The revamped framework offers a multi-tiered mechanism for EU citizens to seek remedy for any infringement, replacing the government’s “ombudsperson” approach, which the EU court dismissed as insufficient. EU citizens may begin by filing a complaint with the Civil Liberties Protection Officer (CLPO) at the Office of the Director of National Intelligence, who will conduct an initial inquiry and make binding conclusions. The US Department of Justice will create an independent Data Protection Examine Court comprising of independent judges who will review the CLPO’s rulings and “have full ability to adjudicate allegations and take remedial actions as warranted” as a second level of review. EU citizens may register grievances via “special advocates” who will represent their interests.
Before it was invalidated, over 5,300 firms engaged in the Privacy Shield program. Furthermore, the decision to invalidate Privacy Shield raises questions about the adequacy of other data transfer arrangements, such as standard contractual terms and obligatory business norms. The protections and requirements outlined in the March statement and the executive order issued on October 7 would also apply to data transmitted via these alternative means.
The EU will next assess whether the US promises fulfill the GDPR’s “adequacy” criterion for the transfer of personal data, a process that is expected to take approximately six months. Participation in the revamped framework, if authorized by the European Commission, would require enterprises to self-certify their compliance with the US Department of Commerce. Although any adequacy finding will almost certainly be contested in EU courts, the new framework will provide considerably more assurance to the numerous companies that rely on cross-border data flows to fuel billions of euros in yearly cross-border trade.