On Friday, 7 October 2022, President Joe Biden signed an Executive Order (EO), which will enable the implementation of the new EU-US Data Privacy Framework (the Framework) – a development which has been long-awaited by all organisations that transfer data between the EU and US.
The Framework aims to fill the void which was left following the invalidation of the Privacy Shield, after the Court of Justice of the EU’s “Schrems II” decision of 16 July 2020, which found that the Privacy Shield offered insufficient protection to EU data subjects.
A statement released by the White House has explained that the Framework intends to “restore an important legal basis for transatlantic data flows”. Specifically, it aims to address EU concerns over the surveillance practices in the US. The EO addresses such a concern by:
- firstly, adopting new safeguards which will regulate US intelligence gathering, requiring they do only what is necessary and proportionate; and
- secondly, by introducing a new two-step redress mechanism - data subjects in ‘qualifying states’, who believe their data has been processed in violation of applicable US law (including the enhanced safeguards in the EO), will be able to, in the first instance, complain to The Director of National Intelligence’s Civil Liberties Protection Officer (CLPO) and as a second step, apply for a review of any CLPO decision to a newly established independent Data Protection Review Court.
In a statement released earlier in the year by the European Data Protection Board (EDPB), the Framework was described as “a positive first step in the right direction”. The EDPB also stated that they were looking forward to assessing the Framework and in particular analysing:
- in detail how these reforms ensure that the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate; and
- to what extent the announced independent redress mechanism respects the EEA individuals’ right to an effective remedy and to a fair trial.
The Framework - next steps:
The introduction of the Framework will now stimulate the launch of the European Commission’s adequacy assessment of the US. This process will involve a draft adequacy determination being put forward by the Commission, the EDPB issuing a non-binding opinion, a vote by EU member states to approve the determination and finally, a formal adoption by the European Commission College of Commissioners.
This process of ratification could take as long as six months, which would mean an adequacy decision may not materialise until March 2023 – until which it would be prudent for organisations to continue to follow the EDPB’s recommendations on measures that supplement transfer tools, to ensure compliance with the EU level of protection of personal data.
Organisations within the EU will hope that the Framework is able to resolve the issues raised by “Schrems II”, given the current burden related to undertaking EEA-US transfers. However, it remains to be seen whether this new arrangement will be safe from activist Max Schrems, who has already stated that “At first sight, it seems that the core issues were not solved and it will be back to the CJEU (EU court) sooner or later”.
US-UK joint statement:
In addition to the EO being signed on 7 October 2022, the US and UK issued a joint statement entitled ‘New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy’ which included two main announcements:
- The US-UK Technology Partnership: which will involve the creation of a new ‘senior-level Comprehensive Dialogue on Technology’, aiming to boost joint efforts and fully realise the advantages of technological advancements; and
- Significant progress on UK-US data adequacy discussions: in the joint statement the UK is recorded as welcoming the release of the EO and that it intends to work “expediently to conclude [their] assessment, with the aim of issuing an adequacy decision that will restore a stable and reliable mechanism for UK-US data flows”. Crucially, the US stated that, subject to the UK meeting the necessary prerequisites, they intend to “designate the UK as a qualifying state under the EO”, this will enable UK individuals who submit qualifying complaints to access the EO’s redress mechanism. Such designation will likely form the basis of and play a significant role in the UK reaching an adequacy decision in relation to the US at an expedited rate.
The Department for Digital, Culture, Media & Sport also issued a press release on 7 October highlighting the positive progress made.
Businesses in the UK obviously therefore wait with baited breath for further progress on the UK-US adequacy discussions with the hope they take the same course as the Framework. However, given Mr Schrems comments it remains to be seen whether these activities will solve the issues around transatlantic data transfers. Watch this space!