Since the invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union ("CJEU"), the long-term lawfulness of cross-border transfers of personal data from the European Union to the United States remain uncertain. Private and public players must therefore rely on alternative tools provided by Chapter V of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data ("GDPR"). Recently, the President of the United States has signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ("Executive Order")which will provide enhanced protection for the free flow of personal data between the European Union and the United States for a "durable and reliable legal basis for transatlantic data flows".1
Enhanced protection provided by the Executive Order
The Executive Order builds upon the preliminary agreement in principle2 which the European Commission and the United States have reached on a new EU-U.S. Data Privacy Framework. Essentially, the Executive Order addresses the concerns raised by the CJEU when invalidating the EU-U.S Privacy Shield in 2020. More precisely, it (i) establishes binding enhanced protections for European data subjects and (ii) reinforces their safeguards when personal data is collected through the activities of the members of the Intelligence Community.3 These enhanced protections imply:
- that personal data collected through said activities may only be collected for a defined national security objective and only when necessary to advance a validated and proportionate priority
- the establishment of an independent and impartial two-step redress mechanism which includes a Civil Liberties Protection Officer as well as a Data Protection Review Court to investigate and to resolve complaints and access requests by European data subjects.
What are the next steps?
On 13 December 2022, in light of the Executive Order, the Commission issued a first draft adequacy decision (available here) on this potential upcoming EU-US Data Privacy Framework. This is a new step forward in the European Union and United States efforts to address the concerns raised by the CJEU in the aforementioned Schrems II decision issued July 2020. In a nutshell, the draft adequacy decision provides that the EU-US Data Privacy Framework based on the abovementioned Executive Order ensures a comparable level of safeguards for data subjects and their personal data than that in the EU.
The draft adequacy decision has now been transmitted to the European Data Protection Board who will perform its own assessment and publish its opinion. Members States will also be involved in the review process.
What should companies (and other data exporters) do in the meantime?
Until a final adequacy decision is adopted, all transfers of personal data to the United States must be performed via the alternative tools provided by Chapter V of the GDPR. Currently, standard contractual clauses ("SCCs") remain the most common used transfer. In June 2021, the Commission adopted its most recent SCCs which will provide more flexibility and which should cover various transfer scenarios in one single document. The deadline to transition existing data transfer arrangements based on the "old" SCCs to the 2021 SCCs is set for 27 December 2022. Companies and other players must therefore replace existing data transfer agreements with the most recent SCCs before the end of this year.
Towards Schrems III?
Once adopted, a final adequacy decision can, however, still be challenged before the CJUE. Several privacy rights agencies have already expressed their scepticism as to whether the Executive Order will be sufficiently protective or address in a satisfactory manner the concerns raised by the CJUE in their Schrems II ruling. It remains uncertain therefore whether the Executive Order is setting the basis for a durable framework for international data transfers.
1 Press Release: Questions & Answers: EU-U.S. Data Privacy Framework 7 October 2022.
2 European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework.
3The U.S. Intelligence Community is composed of the following 18 organizations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.