New step towards a legal framework securing free data transfers between the EU and the US

New step towards a legal framework securing free data transfers between the EU and the US

In 2022, the question about free data flows between the European Union and the United States has been a hot topic. The end of March 2022 was a milestone moment as that was the time when the EU and the USA reached an agreement in principle on the so-called Trans-Atlantic Data Privacy Framework (you can recall our update on the matter here). Its purpose is to fill in the legislative gap after the ECJ’s Schrems II decision. The latter struck down the EU Commission’s adequacy decision in favour of the EU-US Privacy Shield thus impeding easy flows of personal data.

A new major step towards securing free data transfers between the EU and the US was made by the US President Joe Biden on 7 October 2022. He signed a dedicated Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. The action is a landmark one in the process as the order implements in a legal document the commitments the US undertook earlier this year.

It is apparent that the new Executive Order aims at providing a higher standard for personal data protection as opposed to the revoked EU-US Privacy Shield. The most important novelty is that the access to personal data by the US intelligence authorities will be now limited to what is necessary and proportionate to protect the US national security. As the definitions of proportionality under EU and US law have been said to differ, it still remains to be seen how the two will coexist.

Another breakthrough is the establishment of a two-level independent and impartial redress mechanism. In other words, there will be two levels on which EU data subjects will have an option to protect their privacy and object when there are concerns that their personal data are not lawfully processed in the US. The first level will be the so-called “Civil Liberties Protection Officer” in the Office of the Director of National Intelligence. He will be authorized to investigate complaints and make decisions. The second level will be the newly created Data Protection Review Court. It will consist of members with specific qualifications who cannot receive instructions from the US government. This body will be able to render binding decisions. For example, if this new dedicated court finds that data was collected in violation of the safeguards provided in the Executive Order, it will be able to order the deletion of the data.

Now, the ball is at the European Commission.  It will have to prepare a draft adequacy decision for data transfers to the US and start the procedure of its adoption. The process is expected to take roughly six months. Until then, companies are not allowed to rely on the Executive Order as a legal instrument for free and secure data transfers from the EU to the US.

For further information contact:
Mileslava Bogdanova – Misheva, Senior Associate
Simona Mokreva, Associate