The Road Ahead for Transatlantic Data Flows

On October 7, President Joe Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which outlined the next steps in implementing the U.S. commitments under the European Union-U.S. Data Privacy Framework announced in March of 2022.

The Executive Order in a Nutshell

This new EU-U.S. data transfer framework will introduce safeguards for U.S. intelligence services’ access to European personal data, overcoming the landmark Schrems II ruling, in which the EU Court of Justice invalidated – for the second time – the legal framework for transferring personal data across the Atlantic.

The new Executive Order will provide binding safeguards for EU citizens that limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security in a two-layer process:

·???????The creation of a Civil Liberties Protection Officer, responsible for conducting initial investigations to verify complaints on whether the executive order has been violated.

·???????A new Data Protection Review Court to investigate and resolve complaints regarding access to EU citizens’ data by U.S. national security authorities.

The next step is for the European Commission to do a formal adequacy assessment and launch an adoption procedure.

Impact on Business

For years, companies have been transferring customer information between the EU and the U.S. using the Privacy Shield Framework. But after the Schrems II ruling, thousands of companies were plunged into legal limbo and forced to make do with costly and complex procedures to comply with data protection policies.

Smaller companies were impacted disproportionately, as they did not have large compliance departments and massive legal teams to work on time-consuming data transfer agreements. This new Executive Order aims to change just that.

?The EU-U.S. data privacy agreement aims to restore trust among Europeans concerned by U.S. government surveillance, while at the same time preserving the estimated $7.1 trillion EU-U.S. economic relationship and making data compliance easier for smaller businesses.

Privacy Advocates React

While companies will certainly benefit from these new data transfer developments, privacy activists appeared unpersuaded. Max Schrems, the lead litigant behind the two Schrems cases, issued a statement on his website noyb.eu, saying it was “regrettable that the EU and US have not used this situation to come to a 'no spy' agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”

Ursula Pachl, deputy director general of the European Consumer Organization (BEUC) told Wired that “however much the U.S. authorities try to paper over the cracks of the original Privacy Shield, the reality is that the EU and US still have a different approach to data protection which cannot be canceled out by an executive order.”

Pachl also said in a statement that “however much the U.S. authorities try to paper over the cracks of the original Privacy Shield, the reality is that the EU and U.S. still have a different approach to data protection which cannot be canceled out by an executive order.”

Schrems went so far as to suggest that his organization will take legal action against any decision, even though the European Commission explicitly voiced certainty that the Court of Justice of the EU would not strike down the new agreement.

For now, companies will have to stay the course on data transfers, until the European Union authorities make the decision to implement the new EU-U.S. Data Privacy Framework. The hope remains that regulatory compliance on data protection will become easier to achieve once the EU formalizes the agreement, which is expected to happen in March 2023.