In March 2022, U.S. and EU leaders reached an agreement in principle on a new accord to protect data flows entitled the Trans-Atlantic Data Privacy Framework (“EU-U.S. DPF“). Today, the US Government has taken important steps to implement this critical data flow framework, and strengthen legal certainty for EU to US personal data transfers.
First, President Biden signed an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” (“EO“). The EO enhances privacy principles governing US authorities’ signals intelligence activities, and establishes a signals intelligence redress mechanism for the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (“CLPO”) to review qualifying complaints and direct appropriate remediation. CLPO decisions will be reviewed by the Data Protection Review Court.
Second, the US Secretary of Commerce Gina Raimondo announced that she will transmit to the European Commission a series of letters from relevant U.S. government agencies and documents outlining the operation and enforcement of the EU-U.S. DPF. It is expected that these deliverables will include enhanced and clarified provisions regarding the commercial aspects of the framework relating to the EU General Data Protection Regulation (“GDPR”).
As explained by Secretary Raimondo, the US Government anticipates that these commitments fully address the Court of Justice of the European Union’s 2020 Schrems II decision, which had invalidated the EU-US Privacy Shield Arrangement. The US Government considers these actions will also provide greater legal certainty for personal data transfers to the United States under EU law, including those using Standard Contractual Clauses, Binding Corporate Rules, or a future adequacy decision for the EU-U.S. DPF.
What are the commercial implications of today’s actions?
There are many important commercial implications of today’s actions, including the following:
1) Strengthen legal analysis within company data transfer impact assessments. Companies can begin right now to reflect the enhanced privacy protections in the EO in their own implementations of transfer impact assessments (“TIAs“) for EU to US data transfers. The EO’s increased privacy protections, including for assuring necessity and proportionality for US agencies’ surveillance activities, as well as the independent review of determinations made by CLPO, can be helpfully reflected in those commercial arrangements on Trans-Atlantic data transfers.
2) Foundation for adequacy decision for the EU-U.S. DPF. The EO and supporting actions from the US Government provide a foundation for the European Commission to initiate a proceeding to achieve an adequacy decision for the EU-U.S. DPF. The adoption of such an adequacy decision will be instrumental for helping to protect EU to US data flows, particularly for small and medium sized enterprises, which comprise approximately 70% of the participants in the predecessor to the EU-U.S. DPF.
3) Enhanced Trans-Atlantic economic integration. At a time when the world appears to be heading toward greater economic uncertainty, today’s EO and other actions, along with a hoped for approval of an adequacy decision for the EU-U.S. DPF, will help assure enhanced Trans-Atlantic economic integration. This would represent a much needed boost in an otherwise challenging time.
What should companies do?
Companies should begin now to leverage the improved privacy protections as described above in commercial dealings, including transfers based on standard clauses, binding corporate rules, and the like, while continuing their current efforts toward compliance with privacy laws and regulations. Companies should also stay tuned to learn more about the commercial enhancements in the EU-U.S. DPF and evaluate options for cross-border data transfers.
If you have any questions, please do not hesitate to reach out to any of the contacts from the Baker McKenzie Privacy & Security team listed below.