On October 7, 2022, the U.S. President signed the Executive Order for the implementation of the new Data Privacy Framework for Data Transfers between the EU and the U.S. This is an important step towards eliminating the legal uncertainty that has existed for data transfers from the E.U. to the U.S. since the ruling of the European Court of Justice in the “Schrems II” case. You can find out what companies should now bear in mind here.
What is at stake?
The U.S. government announced on Oct. 7 on the White House website that President Biden has signed the Executive Order to Implement the European Union-U.S. Data Privacy Framework. In doing so, the U.S. government is creating the additional rule-of-law safeguards to protect European citizens against data access by U.S. authorities and U.S. intelligence agencies that it agreed to with the European Commission in March 2022. The U.S. government and the European Commission are hereby addressing the rule-of-law criticisms of the previous, only very limited legal protection options for European citizens, which had led the European Court of Justice to declare the previous legal mechanism for data transfers to the U.S. null and void in its “Schrems II ruling” in July 2020 (C-311/18).
What is the content of the Executive Order – and what happens next?
According to its FAQs published on the same day, the European Commission now expects the EU-U.S. Data Privacy Framework (DPF) to withstand future review by the European Court of Justice, unlike its predecessors in the EU/US Privacy Shield and the Safe Harbour Agreement. The Commission has therefore initiated proceedings for the adoption of a new adequacy decision and it is currently expected that such a decision will be issued in March 2023. With such an adequacy decision, the Commission determines, pursuant to Art. 45 GDPR, that the third country in question provides an adequate level of data protection comparable to the EU, so that the transfer of personal data to the third country is permitted even without additional safeguards.
According to the U.S. government and the European Commission, the Executive Order gives EU citizens binding safeguards that limit access to their data by U.S. intelligence agencies to what is necessary and proportionate to protect national security. This is coupled with the establishment of a new redress mechanism, including the possibility of a data subject complaint to a newly created Data Protection Review Court (DPRC).
However, it remains to be seen how the European Data Protection Board (EDPB) will position itself on this in the context of the consultation procedure for the preparation of the adequacy decision. NOYB, Max Schrems’ organization, has already pointed out that the Executive Order continues to permit bulk surveillance and that there could be doubts about the independence of the DPRC because it is not an ordinary U.S. court in this respect, but a special internal administrative jurisdiction. It is more than likely that the legal effectiveness of the DPF will also ultimately be heard by the European Court of Justice – although this time there is a good chance that it could satisfy the rule-of-law requirements of the EU Charter of Fundamental Rights.
What does this mean for the current legal situation?
The executive order does not (yet) change the current, uncertain legal situation for data transfers to the U.S. Until a (possible) adequacy decision by the EU Commission, companies must continue to use the transfer mechanisms currently available, as the Commission also points out in its FAQ. As a rule, companies must agree with the data importer in the U.S. on the Standard Contractual Clauses (SCC) of June 4, 2021, and additional contractual or technical measures to ensure an adequate level of data protection. Notably, the Executive Order does not change the requirement that SCC in legacy contracts be replaced with the current SCC by December 27, 2022. Also, a documented data transfer impact assessment (“TIA”) under Section 14 of the SCC remains mandatory. However, as part of such a TIA, the Executive Order’s new legal protections may be considered once they are actually implemented. Section 3(d)(i) of the Executive Order provides that the Attorney General shall, within 60 days, promulgate the necessary regulations establishing the Data Protection Review Court.
What does this mean for the future legal situation?
However, it would be a mistake to assume that the agreement of SCC and the conduction of TIAs will soon become obsolete. On the one hand, an adequacy decision by the EU Commission is very likely, but it is also not impossible that the necessary opinion of the EDPB and the right of review of the European Parliament could still put obstacles in the way of such a decision. Secondly, it is currently difficult to predict whether the TPF will be upheld by the European Court of Justice in the future. If the European Court of Justice were to annul the TPF in the future, this decision would probably have a retroactive effect, just as in the case of the EU-U.S. Privacy Shield. It would therefore be advisable to adhere to the best practice already proven under the Privacy Shield and to agree on the SCC at least as a precautionary measure. In the relationship with U.S. companies, this also has the advantage of fulfilling the legal requirements for a processing agreement pursuant to Art. 28 GDPR, the requirements of which the data processing addendums of U.S. providers would otherwise often not guarantee.
What should companies be advised to do?
Even if the Executive Order of October 7, 2022 nurtures the justified hope that the legal uncertainty associated with data transfers to the U.S. could be alleviated in the first quarter of 2023 by an adequacy decision of the EU Commission, companies are nevertheless well advised to continue to reduce the data protection risks of their data exports to the U.S.. In particular, old contracts should be converted to the new SCC by December 27, 2022, and in new contracts, any technical measures offered by the U.S. provider (such as data residency within the EU or bring-your-own-key encryption) should be agreed. Finally, companies should continue to document TIA as part of the new SCC – but at least in this respect, the Executive Order is already helpful today.