Since the Privacy Shield was invalidated more than two years ago by the Court of Justice of the EU’s (CJEU) “Schrems II” decision, personal data transfers from the EU to US were put into question. However, on 25 March 2022, President von der Leyen and President Biden announced that they had reached an “agreement in principle” on a new EU-U.S. Data Privacy Framework (Framework), with aim to address the concerns raised by the CJEU’ in its “Schrems II” decision. A few months on, it has been confirmed that President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ which implements the Framework into US law (Executive Order).

Here, we explore: (i) what the Executive Order is and what it aims to achieve, (ii) how far we are from the EU-US Data Privacy Framework to being finalised; and (iii) whether it significantly differs from the Privacy Shield or whether we can expect it to be struck down by the CJEU as with the Safe Harbour Agreement and Privacy Shield Framework.

Schrems II and the current position in respect of EU-US personal data transfers

Since the infamous “Schrems II” decision and concerns raised by the CJEU, businesses have generally had to rely on the European Commission’s (EC) Standard Contractual Clauses (SCC’s) combined with “transfer impact assessments” to validate transfers from the EU to the US.

In particular, the CJEU was concerned that U.S. foreign intelligence authorities undermined the commercial protections of the Privacy Shield Framework by allowing the U.S. government to access personal data transferred from the EU without: (i) appropriate “proportionality” restrictions; and (ii) an oversight mechanisms, such as review by independent bodies and redress for affected data subjects.

What is the Executive Order and what does it aim to achieve?

The Executive Order implements the Framework that aims to address the points raised by the CJEU.

It implements into US law, binding safeguards to limiting access to personal data transferred from the EU by US intelligence services and authorities to what is “necessary and proportionate to protect US National Security”. It requires US intelligence agencies to review their policies and procedures to implement these new safeguards.

A “two layer” redress mechanism is also established:

  1. Civil Liberties Protection Officer (CLPO): data subjects whose personal data has been transferred from the EU to the US will be able to lodge a complaint with the ‘Civil Liberties Protection Officer' of the US intelligence community. This person is responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights;
  1. Data Protection Review Court (DPRC): an "independent and impartial redress mechanism” with remit to investigate and resolve complaints from data subjects whose personal data has been transferred from the EU to the US, regarding access to their personal data by US national security authorities. Data subjects can appeal the decision of the CLPO to this court.

What can we expect next?

The EC will now prepare a draft decision, as well as launch its adoption procedure which includes submission to the European Data Protection Board (EDPB) for its opinion on the new changes. The EDPB’s findings are not binding, but if it determines that the Framework does not provide “essentially equivalent” protection for transferred personal data, as to the EU, further negotiations could be triggered.

The EC will also have to put the proposal before an EU committee composed of representatives from each EU Member State, who will then vote on whether to approve it. In addition, the European Parliament has a right of scrutiny.

If finalised and adopted, personal data will be able to flow freely between the EU and US under the new Framework, without the need for any additional safeguards. The process could take several months, however for now, organisations should continue to rely on SCCs and TIAs.

Does the Framework differ significantly to the Privacy Shield and can we expect privacy advocates to target the Framework?

Arguably, the Framework provides for significant improvements in comparison to the Privacy Shield, with particular focus on providing a limit on US national security authorities' abilities to access personal data transferred from the EU to the US and the establishment of the new redress mechanism.

However, privacy advocates (including NOYB, headed by Max Schrems) have already announced opinions that the Framework is insufficient. NOYB argues that there is no indication that US mass surveillance will change in practice and so-called "bulk surveillance" will continue under the Framework. NOYB has also criticised the redress mechanism, arguing that the DPRC is not a “real court” in the normal legal meaning under US law, but a body within the US government's executive branch which does not sufficiently provide judicial redress.