Since the invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union (the "CJEU"), the long-term lawfulness of cross-border transfers of personal data from the European Union to the United States remain uncertain. Private and public players must therefore rely on alternative tools provided by Chapter V of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the "GDPR"). Recently, the President of the United States has signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the "Executive Order")which will provide enhanced protection for the free flow of personal data between the European Union and the United States for a "durable and reliable legal basis for transatlantic data flows".1
Enhanced protection provided by the Executive Order
The Executive Order builds upon the preliminary agreement in principle2 which the European Commission and the United States have reached on a new EU-U.S. Data Privacy Framework. Essentially, the Executive Order addresses the concerns raised by the CJEU when invalidating the EU-U.S Privacy Shield in 2020. More precisely, it (i) establishes binding enhanced protections for European data subjects and (ii) reinforces their safeguards when personal data is collected through the activities of the members of the Intelligence Community.3 These enhanced protections imply:
- that personal data collected through said activities may only be collected for a defined national security objective and only when necessary to advance a validated and proportionate priority
- the establishment of an independent and impartial two-step redress mechanism which includes a Civil Liberties Protection Officer as well as a Data Protection Review Court to investigate and to resolve complaints and access requests by European data subjects.
What are the next steps?
Based on the Executive Order, the European Commission has announced the preparation of a draft adequacy decision, which is the first step of a longer process involving the review by Member States and of the European Data Protection Board. This process could, in principle, take between six months and one year.
What should companies (and other data exporters) do in the meantime?
Until an adequacy decision is adopted, all transfers of personal data to the United States must be performed via the alternative tools provided by Chapter V of the GDPR. Currently, standard contractual clauses (the "SCCs") remain the most common used transfer. In June 2021, the European Commission adopted its most recent SCCs which will provide more flexibility and which should cover various transfer scenarios in one single document. The deadline to transition existing data transfer arrangements based on the "old" SCCs to the 2021 SCCs is set for 27 December 2022. Companies and other players must therefore replace existing data transfer agreements with the most recent SCCs before the end of this year.
Towards Schrems III?
Once drafted and adopted, a final adequacy decision can, however, still be challenged before the CJUE. Several privacy rights agencies have already expressed their scepticism as to whether the Executive Order will be sufficiently protective or address in a satisfactory manner the concerns raised by the CJUE in their Schrems II ruling. It remains uncertain therefore whether the Executive Order is setting the base for a durable framework for international data transfers.
1. Press Release: Questions & Answers: EU-U.S. Data Privacy Framework 7 October 2022 (here)
2. European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework (here)
3. The U.S. Intelligence Community is composed of the following 18 organizations (here)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.