After a two year absence of a data privacy law framework for transferring personal data from the EU to the U.S., President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the "Order") on October 7, 2022, that will usher in a new EU-U.S. Data Privacy Framework (the "Framework").
The Framework will regulate how US intelligence agencies may collect data from EU citizens and create new mechanisms to address EU citizens' claims that personal information was collected or handled in violation of the Framework.
The Framework, which was first announced as an agreement in principle by Biden and European Commission President, Ursula von der Leyen in March 2022, is intended to re-establish the legal regime governing trans-Atlantic data flows, after the previous regime, the Privacy Shield, was invalidated in July 2020 by the Court of Justice of the European Union ("CJEU") ruling in the Schrems II case.
Although the Executive Order authorises implementation measures for this new Framework under U.S. law, ultimately, the European Commission will now need to issue an adequacy opinion to approve the Framework.
The Framework is anticipated to be formally adopted by the EU in the summer. However, it's likely to be made on the condition that the US Government implements all the new requirements, which may take a while.
Under the first step of that approval process, the European Data Protection Board (EDPB) has agreed the measures introduced by the Executive Order achieve two things:
- It goes a long way towards addressing the GDPR compliance issues highlighted in the Schrems ruling with respect to the US Government's bulk collection of EU originating personal data.
- It forms the bedrock of the new data protection framework that will eventually deem the US an 'adequate' country from an EU data protection law perspective.
The EDPB, which brings together the data protection supervisory authorities of all EU member states, flagged specific concerns that will need to be resolved prior to the EU's formal adoption of the Framework including (but not limited to):
- Improving the data protection principles to be observed by US data importers in relation to handling EU originating personal data (currently a copy and paste of the principles of the previously invalidated Privacy Shield framework).
- Evaluating the US Government's response to redress requests made by EU citizens, in relation to bulk data collection.
Conclusion
The new Framework will fill a significant gap and promises to provide businesses greater legal certainty in transferring EU personal data to the U.S. — for example, to cloud services providers. Moreover, approval by the European Commission will signal that U.S. privacy law protections are sufficient for transferring personal data to the U.S.
In the meantime ForgeRock will continue to help customers with managing their GDPR compliance obligations by offering EU standard contractual clauses backed up by Transfer Impact Assessments.