The US Office of the Director of National Intelligence (“ODNI”) announced today that it has fully implemented new safeguards under Executive Order 14086. See INTEL – ODNI Releases IC Procedures Implementing New Safeguards in Executive Order 14086. These steps clear the path for the European Commission to adopt the draft “adequacy decision” for cross-border data transfers pursuant to the EU-U.S. Data Privacy Framework.

By way of brief background, in July 2020, the Court of Justice of the European Union (“CJEU”) invalidated the adequacy finding for cross-border data transfers under the EU-US Privacy Shield. The CJEU’s decision was largely driven by a perceived insufficiency of privacy protections associated with certain US national security intelligence gathering activity in a decision called “Schrems II.” The CJEU’s invalidation of Privacy Shield created risk under the EU General Data Protection Regulation (“GDPR”) for EU and US companies that exchanged personal data transfers on the basis of Privacy Shield.  More information on Privacy Shield and Schrems II can be found here: https://www.connectontech.com/category/privacy-shield/

In response to Schrems II, the US government and the European Commission worked collaboratively to develop a successor transatlantic data transfer arrangement, called the EU-U.S. Data Privacy Framework (“DPF”).  From a substantive perspective, among other steps, the US Administration adopted Executive Order 14086 (“EO”). The EO establishes a new process for individuals to seek redress regarding alleged covered violations of law with respect to signals intelligence activities concerning their data that has been transferred from a “qualifying state” to the United States.

The US government needed to take several key steps to implement the EO. In addition to issuing implementing procedures for the EO for each of the ODNI elements and other activities, the US government has now also declared the European Union (“EU”) and European Economic Area (“EEA”) Member States are “qualifying states,” such that local EU and other EEA citizens will be able to file a complaint, which ultimately can trigger review by the ODNI Civil Liberties Protection Officer (“CLPO”), and ultimately the U.S. Data Protection Review Court if needed. The US government’s decision on the qualifying states will be effective upon the European Commission’s adoption of the DFA adequacy decision. These and other activities assure that, as of the time of the European Commission’s adoption of the DPF, the US government will fully comply with the implementation of the EO.

Next Steps.  The European Commission has indicated that it expects to adopt the adequacy decision for the DPF by this summer.  From that point, the US Department of Commerce (“US DOC”) will provide a grace period of three months in which companies currently self-certified to the Privacy Shield can convert their self-certification to cover the DPF.  The US DOC will also provide a means for new companies to self-certify to the DPF, so as to obtain the legal benefits of being deemed to provide adequate protection under GDPR. Although it is expected that EU data protection authorities and others will continue to apply scrutiny to EU-US data transfers, the DPF and associated implementation steps should help to provide more legal certainty for cross-border data transfers and also assure increased privacy protections for such data.   

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Flavia is a partner at Trench Rossi Watanabe* and is based in São Paulo. She has more than 15 years of experience in the areas of intellectual property, franchise, technology transfer, social media and unfair competition. *Trench Rossi Watanabe and Baker McKenzie have executed a strategic cooperation agreement for consulting on foreign law.

Author

Vin leads our London Data Privacy practice and is also a member of our Global Privacy & Security Leadership team bringing his vast experience in this specialist area for over 22 years, advising clients from various data-rich sectors including retail, financial services/fin-tech, life sciences, healthcare, proptech and technology platforms.

Author

Kritiyanee joined Baker McKenzie in 2013 and is a partner in the Intellectual Property and Technology practice. She has experience in data protection, cyber security, and complex technology matters.

Author

Ken Chia is a member of the Firm’s IP Tech, International Commercial & Trade and Competition Practice Groups. He is an IAPP Certified International Privacy Professional (FIP, CIPP(A), CIPT, CIPM) and a fellow of the Chartered Institute of Arbitrators and the Singapore Institute of Arbitrators. His practice focuses on IT, telecommunications, intellectual property, trade and commerce, and competition law matters.

Author

Cynthia J. Cole is Chair of Baker McKenzie’s Global Commercial, Tech and Transactions Business Unit, a member of the Firm’s global Commercial, Data, IP and Trade (CDIT) practice group steering Committee and Co-chair of Baker Women California. A former CEO and General Counsel, just before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in AI, digital transformation, data privacy, and cybersecurity strategy.

Author

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author

Dominic is Special Counsel in Baker McKenzie's Intellectual Property and Technology Practice Group in Hong Kong.

Author

Rachel Ehlers is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group, based in the Firm's Houston office. Rachel's practice focuses on technology transactions, data privacy and cybersecurity. She has extensive experience advising clients on data incidents and breach response, cross-border transfers, and data privacy and cybersecurity issues related to mergers and acquisitions.

Author

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author

Paul is head of cybersecurity in the UK and a key member of our wider data protection team. For 15 years, Paul has guided clients through all types of major data security incidents as well as complex technology and data disputes. Paul pioneered an award-winning data breach and dark web scanning tool which was the first product of its kind in the legal market.

Author

Marcia Lee is a special counsel in Baker McKenzie's Intellectual Property and Technology group based in Hong Kong. She focuses on privacy/data protection, technology, media & telecommunications, internet regulatory issues, consumer law protection, e-commerce, and healthcare.

Author

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP) and since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation.

Author

Pattaraphan Paiboon is a Partner at Baker McKenzie's office in Bangkok. Pattaraphan focuses on telecommunications, broadcasting, IT/Communications, cybersecurity, data privacy and protection, and e-commerce law.

Author

Patricia Perez joined the Information Technology & Communications Department of Baker & McKenzie in Madrid in 2013. Her prior experience includes working at national law firms in the Corporate and Intellectual Property and Information Technology departments.

Author

Anne is a partner based in Sydney. Her practice focuses on IT and telecommunications supply arrangements; understanding regulatory issues for online, telecommunications and IT businesses (in particular for data management); and trade regulatory and commercial contracting advice.

Author

Kensaku Takase is a partner in Baker McKenzie’s Tokyo office and is the Group Leader of the office's IP/IT/EC Practice Group. Mr. Takase is bilingual (Japanese and English) and focuses on intellectual property law, media law, and information technology law since 1999. He has assisted many companies in various industries with cross-border transactions in the trademark, copyright and design fields.

Author

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.

Author

Alex Toh is a senior associate in Baker McKenzie's Singapore office.

Author

Carlos is one of Mexico's most active privacy, data protection and information security lawyers. He has implemented privacy management compliance programs for over 100 companies, including several Fortune 500 companies. He advises on corporate and commercial matters where privacy is an issue, including e-discovery, FCPA investigations, e-commerce, direct marketing, privacy in the workplace, litigation and M2M communications.

Author

Jo-Fan Yu is a partner and member of Baker McKenzie Information, Technology, Communications (IT/C) and Telecoms, Media, and Technology (TMT) groups in Taipei. Jo-Fan focuses her practice on ITC, media, telecom and dispute resolution.