Privacy Law
US Takes Next Steps toward EU Adequacy Decision: President Biden Signs Executive Order
By Andrew Scott & Paul Lanois
On October 7, 2022, the U.S. took the next step in achieving an EU adequacy decision (i.e. a decision from the European Commission that a territory or country offers levels of data protection that are essentially equivalent to that within the EU, enabling transfers of personal data to such location): President Biden signed an Executive Order that laid out the steps the United States will take to implement the U.S. commitments under the European Union-U.S. Data Privacy Framework (EU-U.S. DPF), which was announced by President Biden and EU Commission President von der Leyen in March 2022.
The text comes in the form of Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities (âEOâ). The goal of the EO is to overcome the reasons the Court of Justice in the European Union (CJEU) relied on to invalidate the EU-US Privacy Shield on June 16, 2020, in the Schrems II decision.  Specifically, the EO attempts to address the CJEUâs concerns that under the existing US legal framework there 1) are insufficient safeguards protecting EU citizenâs personal data from U.S. national security collection practices and 2) is an insufficient redress mechanism for EU citizens.Â
The new EO aims to overcome these hurdles with a new set of rules and binding safeguards to limit access to data by U.S. intelligence as well as introducing a new two-tier redress system to investigate and resolve complaints of Europeans on access.
Specifically, the EO will: (1) limit access to data by US intelligence authorities to what is deemed ânecessary and proportionateâ to protect national security; and (2) establish an independent and impartial redress mechanism to investigate and resolve complaints regarding access to data by US national security authorities.
To help the public understand how this new EU-US Data Privacy Framework (EU-US DPF) will work, the US has provided a Fact Sheet and the EU Commission has produced a Q&A. In particular, the European Commission stated in their Q&A that these are âsignificant improvements compared to the mechanism that existed under the Privacy Shieldâ framework that âprovide a durable and reliable legal basis for transatlantic data flowsâ.
Initial impressions as to whether the new framework will pass CJEU muster have been mixed. Some are optimistic that this effort is a good next step in reviving the previously-failed Privacy Shield framework. This would also help reduce concerns surrounding international transfers of data, for example in light of the recent decisions from European data protection authorities surrounding the use of tools such as Google Analytics. Some, however, feel this new effort will still be unlikely to fully satisfy the requirements under EU law.Â
The need for companies to have an adequacy decision to transfer data across the Atlantic is paramount. Transatlantic data flows account for more than half of Europeâs data flows and about half of U.S. data flows globally – trillions of dollars are at stake.
The most popular methods to transfer data to the U.S are using Standard Contractual Clauses or Binding Corporate Rules; however, even these methods are subject to U.S. national security collection practices. Importantly, the EU Commission has confirmed that all the safeguards that the Commission agreed with the US Government in the area of national security (including the redress mechanism) will be available for all transfers to the US under the GDPR, regardless of the transfer tool used.
It is estimated that it could take 6 months (Q2) for the EUâs adequacy decision to be granted and adopted.