On 7.10.2022, US President Joseph Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, outlining key directives to implement the U.S’ commitments under the EU – U.S. Data Privacy Framework (‘EU-US DPF’), as announced in March 2020.

The Executive Order constitutes a major step in respect of trans Atlantic data transfer as it introduces new figurative safeguards to address all the questions raised by the annulment of the Privacy Shield in 2020 by the EU Court of Justice in its Schrems II judgment. For Europeans whose personal data is transferred to the US, the new Executive Order provides a number of additional safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate in pursuit of national security objectives. Such intelligence activities include protection against espionage, terrorism or threats.

Furthermore, it establishes a new two-layer redress mechanism to address complaints about data collection. This mechanism involves both the ‘Civil Liberties Protection Officer’ of the US intelligence community and a new independent Data Protection Review Court. Under the first layer, EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protection Officer’ of the US intelligence community. Under the second level, individuals will have the possibility to appeal the decision of the Civil Liberties Protection Officer before the Data Protection Review Court.

On this basis, the European Commission will propose a draft adequacy decision and launch its adoption procedure. After that, data will be able to flow freely and safely between the EU and US companies certified by the Department of Commerce under the new framework.

Since the announcement, various data protection authorities and industry bodies have published their first reactions, including the American Civil Liberties Union (‘ACLU’) who noted that “Congress must enact meaningful surveillance reform in order to meet basic legal requirements in the EU”.

Moreover, most businesses in the U.S. remain confused about how to handle their cross-border data transfers until the DPF is approved by the EU, alongside an adequacy decision. In addition, some U.S. businesses have  chosen to leave their Privacy Shield certification according to data from the U.S. Department of Commerce, relying instead on standard contractual clauses (SCC). The European Commission will now commence its approval process, and EU officials continue to predict that a new trans-Atlantic data flow agreement could be in place as early as March 2023.

Until an adequacy decision is made for the EU-U.S. DPF, companies should continue to use existing mechanism deemed by the EU to be sufficient, including the SCCs, and follow the European Data Protection Board’s recommendations on supplement transfer tools to ensure compliance with the E.U. level of protection.

The Editorial Team