In March 2022, U.S. and EU leaders reached an agreement in principle on a new accord to protect data flows entitled the Trans-Atlantic Data Privacy Framework (“EU-U.S. DPF“).  Today, the US Government has taken important steps to implement this critical data flow framework, and strengthen legal certainty for EU to US personal data transfers.  

First, President Biden signed an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” (“EO“). The EO enhances privacy principles governing US authorities’ signals intelligence activities, and establishes a signals intelligence redress mechanism for the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (“CLPO”) to review qualifying complaints and direct appropriate remediation.  CLPO decisions will be reviewed by the Data Protection Review Court.

Second, the US Secretary of Commerce Gina Raimondo announced that she will transmit to the European Commission a series of letters from relevant U.S. government agencies and documents outlining the operation and enforcement of the EU-U.S. DPF. It is expected that these deliverables will include enhanced and clarified provisions regarding the commercial aspects of the framework relating to the EU General Data Protection Regulation (“GDPR”).

As explained by Secretary Raimondo, the US Government anticipates that these commitments fully address the Court of Justice of the European Union’s 2020 Schrems II decision, which had invalidated the EU-US Privacy Shield Arrangement.  The US Government considers these actions will also provide greater legal certainty for personal data transfers to the United States under EU law, including those using Standard Contractual Clauses, Binding Corporate Rules, or a future adequacy decision for the EU-U.S. DPF.

What are the commercial implications of today’s actions?

There are many important commercial implications of today’s actions, including the following:

1) Strengthen legal analysis within company data transfer impact assessments.  Companies can begin right now to reflect the enhanced privacy protections in the EO in their own implementations of transfer impact assessments (“TIAs“) for EU to US data transfers. The EO’s increased privacy protections, including for assuring necessity and proportionality for US agencies’ surveillance activities, as well as the independent review of determinations made by CLPO, can be helpfully reflected in those commercial arrangements on Trans-Atlantic data transfers. 

2) Foundation for adequacy decision for the EU-U.S. DPF. The EO and supporting actions from the US Government provide a foundation for the European Commission to initiate a proceeding to achieve an adequacy decision for the EU-U.S. DPF.  The adoption of such an adequacy decision will be instrumental for helping to protect EU to US data flows, particularly for small and medium sized enterprises, which comprise approximately 70% of the participants in the predecessor to the EU-U.S. DPF.

3) Enhanced Trans-Atlantic economic integration.  At a time when the world appears to be heading toward greater economic uncertainty, today’s EO and other actions, along with a hoped for approval of an adequacy decision for the EU-U.S. DPF, will help assure enhanced Trans-Atlantic economic integration. This would represent a much needed boost in an otherwise challenging time.   

What should companies do?

Companies should begin now to leverage the improved privacy protections as described above in commercial dealings, including transfers based on standard clauses, binding corporate rules, and the like, while continuing their current efforts toward compliance with privacy laws and regulations. Companies should also stay tuned to learn more about the commercial enhancements in the EU-U.S. DPF and evaluate options for cross-border data transfers.

If you have any questions, please do not hesitate to reach out to any of the contacts from the Baker McKenzie Privacy & Security team listed below.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Vin leads our London Data Privacy practice and is also a member of our Global Privacy & Security Leadership team bringing his vast experience in this specialist area for over 22 years, advising clients from various data-rich sectors including retail, financial services/fin-tech, life sciences, healthcare, proptech and technology platforms.

Author

Cynthia J. Cole is Chair of Baker McKenzie’s Global Commercial, Tech and Transactions Business Unit, a member of the Firm’s global Commercial, Data, IP and Trade (CDIT) practice group steering Committee and Co-chair of Baker Women California. A former CEO and General Counsel, just before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in AI, digital transformation, data privacy, and cybersecurity strategy.

Author

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author

Elizabeth Denham CBE, joined Baker McKenzie as International Consultant, Data and Tech in 2022. She has over 15 years' experience as a data protection regulator in four jurisdictions. She was most recently the Information Commissioner for the UK (2016-2021) . During her tenure in the UK she also chaired the Global Privacy Assembly, which brings together more than 130 data protection authorities around the world - the premier global forum for data protection. She is recognized as a leader in enabling responsible data use by government and the commercial sector, and for implementing the GDPR into UK law. She tackled some of the most complex issues facing the digital economy, including the use of data in political campaigns, the use of live facial recognition technologies in the commercial and police sectors, and the transparent and fair use of analytics and AI. She is passionate about the protection of children online, ethical and accountable use of health data, and supporting companies to embed data protection and security into their services and offerings.

Author

Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.

Author

Nathalja Doing is an associate in Baker McKenzie Amsterdam's Intellectual Property, Information Technology & Communications and Commercial practice groups. She is part of its IP and IT subgroups and the multidisciplinary Privacy Team. Nathalja has particular knowledge on various aspects of law and technology, specifically GDPR, platform laws, content regulation and IP.

Author

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author

Paul is head of cybersecurity in the UK and a key member of our wider data protection team. For 15 years, Paul has guided clients through all types of major data security incidents as well as complex technology and data disputes. Paul pioneered an award-winning data breach and dark web scanning tool which was the first product of its kind in the legal market.

Author

Margarita advises Swedish and international clients on a range of employment and data protection matters.

Author

Nick's practice focuses on privacy and cybersecurity, particularly in the healthcare and technology industries. His substantive technical experience, experience with the HIPAA Rules, and deep understanding of information security and privacy regulators' expectations, allows Nick to efficiently guide clients on compliance with emerging laws, regulatory oversight and obligations created through contract.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP) and since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation.

Author

Yann has extensive experience in dealing with issues pertaining to internet law, data privacy protection, internet surveillance, cloud computing, whistle blowing. He has assisted numerous businesses with complex projects involving information technologies (big data compliance, ethics of algorithm, data governance, profiling, e-discovery procedures, etc.). Yann also advises on compliance disputes.

Author

Patricia Perez joined the Information Technology & Communications Department of Baker & McKenzie in Madrid in 2013. Her prior experience includes working at national law firms in the Corporate and Intellectual Property and Information Technology departments.

Author

Stephen Reynolds frequently advises clients on complex matters involving data privacy and security laws and serves on the board of directors of the International Association of Privacy Professionals (IAPP). Stephen’s expertise adds value to organizations by mitigating cyber threats through proactive preventative measures and navigating complex litigation on behalf of clients in data privacy and security. He is uniquely able to and routinely uses his computer background in cases involving data privacy and security, electronic discovery, social media discovery, and computer forensics.

Author

Prof. Dr. Michael Schmidl is co-head of the German Information Technology Group and is based in Baker McKenzie's Munich office. He is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Michael also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.

Author

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.

Author

Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.