Breaking Data Development: New Privacy Protections for US-EU Transfers Coming
- Information governance
- 3 min read
Yet another international data transfer update recently materialized. On October 7, President Biden signed an executive order directing the steps to implement a new data privacy framework. This would apply to the flow of personal information between the U.S. and EU. This has been a long time coming since the Schrems II court decision in 2020 which invalidated the Privacy Shield framework as a mechanism to effectuate cross-border data transfers. The prior framework was in place for many years and offered a streamlined way to transfer U.S. to EU data. It was invalidated after Schrems II due to concerns over diminished privacy protections in violation of the General Data Protection Regulation (GDPR) and apprehension over U.S. surveillance during transfer activities.
Since the U.S. and Europe frequently conduct cross-border business activities in many different markets, the absence of a streamlined transfer process has presented major issues requiring expedient remediation. The EU does not recognize the U.S. as having data privacy laws or safeguards that would be adequate under the GDPR, so the only way to transfer information over the last two years has been via the EU’s updated standard contractual clauses (SCCs). This is a more complex and unpredictable way to effectuate transfers and requires data transfer impact assessments that are time-consuming. As such, organizations have been anxiously waiting for the new framework to be finalized since there was chatter that it was in the works earlier this year.
The Executive Order
The new framework, which is being referred to as the “Privacy Shield 2.0,” aims to address the EU’s ongoing privacy concerns and will once again offer a more streamlined way to effectuate U.S. to EU data transfers. Here are the key points noted in the executive order:
- Robust review process: There will be multi-layer review available for EU residents to turn to if they have non-compliance issues. First, the Office of the Director of National Intelligence will investigate claims and have authority to issue binding orders. Such decisions will be subject to review by an independent data protection review court. This court will be composed of judges outside the U.S. government who will have full authority to adjudicate matters and order remedies to redress any harm suffered. A special advocate will also be available to the complainant during the court proceedings.
- Enhanced intelligence safeguards: U.S. intelligence agencies will only be able to access data in limited defined situations when needed to protect national security, specifically in instances involving validated intelligence priorities. The agencies must consider privacy and civil liberties for everyone, regardless of nationality or residential country.
- Mandated updates: All U.S. intelligence organizations must revise current policies and procedures so they align with the enhanced protections under the framework. The Privacy and Civil Liberties Oversight Board will review such revisions and provide annual reviews over any redress orders issued.
Overall, the executive order affirmed that the framework will greatly increase oversight and review of data transfers. Organizations are also expected to be able to self-certify compliance under the framework via the U.S. Department of Commerce when processing incoming EU data.
The EU now needs to review such framework and affirm whether it offers adequate protection in line with the GDPR’s provisions. Analysts are split on whether this framework will truly address the privacy gaps between these countries, with some believing the protections are adequate and will pave the way for a U.S. federal privacy bill to finally materialize. Others doubt the framework’s sufficiency and feel it does not sufficiently address commercial use of personal data, which has been a major debate over the past few years.
Regardless of outcome, the EU’s decision to issue an adequacy decision or reject the framework is expected to take months, so lack of clarity on how to handle transfers remains until that time. For now, affected organizations need to continue to play the waiting game and rely on SCCs for data transfers. However, while many organizations dropped their privacy shield certifications after the Schrems II decision, there are still a good amount that are maintaining them even though not in use. Some analysts are advising these organizations to keep up their certifications as it would make for an easier transition when and if the new framework becomes effective. Now is the time for leadership, legal, and privacy teams to be strategic about this decision. A good formula to use is balancing the cost of certification maintenance with the benefit of expediting transfer backlog and overall risk.
For more insight on data transfers, please read International Data Transfers: Knowing Which Rules Apply to Comply.