Data Protection & CybersecurityPrivacy & Cybersecurity

Is the U.S. executive order the solution to data transfer?

The President of the United States has adopted the executive order to create the EU-US Data Privacy Framework, but is this the solution to the transfer of personal data out of the EEA?

The big news is that President Biden signed the executive order from which the European Commission’s adequacy decision on the transfer of personal data from the European Union to the United States might follow.

Below is our analysis of the situation and the possible consequences:

What does the U.S. executive order provide on the framework for data transfer?

The main contents of the executive order:

1.  adds safeguards for U.S. intelligence activities.  In particular, the executive order recalls the principles of necessity and proportionality also provided for in the GDPR

📌 It will be decisive to understand whether these principles will be applied by the U.S. government according to the same interpretation as provided by the European Privacy Regulation to avoid the critical issues challenged by the European Court of Justice in the Schrems 2 ruling will remain.

2.  imposes requirements on processing for personal data collected through intelligence activities

📌 We will need to understand whether U.S. companies must comply with the same principles under the GDPR regarding data transferred from the European Union (e.g., the legal basis of processing and lawfulness of processing).

3.  requires U.S. intelligence to update its policies and procedures to reflect the new privacy and civil liberties safeguards contained in the executive order

📌 This obligation is a consequence of the above measures.  It should be kept in mind, however, that the executive order is not a law provision; therefore, a subsequent U.S. president could quickly rescind the order.

4. creates a multi-tiered mechanism for individuals to obtain an independent and binding review and damages in the event of claims that their personal data collected by U.S. intelligence has been processed in violation of applicable U.S. law as outlined below:

  • First level, the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO).
  • Second level, the Data Protection Review Tribunal (“DPRC”).

📌 This provision will also be decisive in assessing the adequacy of the U.S. regulations as it will have to be understood whether it will indeed be an independent court or has the same critical issues as the Ombudsperson envisaged by the Privacy Shield.

5. calls on the Privacy and Civil Liberties Oversight Board to review the Intelligence Community’s policies and procedures to ensure that they are consistent with the executive order.

📌 The same assessments as in point 3 above apply.

What are the effects of the executive order, and what should the European Commission do now?

Although the executive order is not a provision of law, it is binding with immediate effect within the U.S. governmental organization.  As the European Commission explained in its FAQs, the process leading to an eventual adequacy decision is still long.

The European Commission will have to obtain an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of EU member states.  In addition, the European Parliament has the right to scrutiny over adequacy decisions.

This is a process that is estimated to take about six months.

What should companies do before the European Commission’s adequacy decision?

The FAQs published by the European Commission suggest that, pending the adequacy decision, companies should continue to use the other tools available to them to regulate the transfer of data to the U.S., such as Standard Contractual Clauses that require them to perform the data transfer assessment.  This approach is recommended, even considering the early “battle” comments published by NOYB, the association run by Max Schrems. Their actions have already led to invalidating tools to support data transfers to the United States.

In a recent speech, Guido Scorza, a member of the Board of the Italian Data Protection Authority, anticipated that there might be a joint position by the European privacy authorities on the issue.  The problem mainly arises with tools such as Google Analytics, whose use has been challenged by several European data protection authorities, including the Garante, even providing a deadline for companies to comply.

In the current situation, it must be taken into account that the U.S. executive order is immediately binding beyond the possible future adequacy decision.  The risk assessment of transferring personal data to the United States has changed.  Our team at DLA Piper is quickly updating the U.S. country assessment for transfer assessment (TIA) purposes through our legal tech tool “Transfer” to support our clients.  Beyond what will be decided on adequacy, the executive order is immediately applicable, and therefore the U.S. law assessment to transfer personal data to the United States is modified.  It is understood then that, even after any adequacy decision regarding the US, TIAs will continue to be required for data transfers to other countries outside the EEA that do not have an adequacy decision.

Our legal tech tool and methodology to support companies in TIAs called “Transfer” can currently handle transfers to 68 countries and is used by 200+ clients.  You can find a presentation on Transfer at the link HERE.

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the location head of the Italian Intellectual Property & Technology department and the global co-head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our client's success.

Related Articles

Back to top button