Explainer: EU-U.S. Data Privacy Framework

On 25 March 2022, President von der Leyen and President Biden announced that they had reached an agreement in principle on a new EU-U.S. Data Privacy Framework. The framework will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020. Following that, the EU and US teams worked for many months to finalise the details of this agreement and translate it into a legal framework.

On 7 October President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’. Along with the Regulations issued by the Attorney General, the Executive Order implements into US law the agreement in principle announced in March. The Executive Order introduces new binding safeguards to address all the points raised by the Court of Justice of the EU, limiting access to EU data by US intelligence services and establishing a Data Protection Review Court.

On that basis, the European Commission will now prepare a draft  adequacy decision, as well as launch its adoption procedure.

  1. What is the new Executive Order about?

The Executive Order signed by President Biden on 7 October, as well as the accompanying Regulations, implement the commitments made by the US in the agreement in principle announced in March.

For Europeans whose personal data is transferred to the US, the new Executive Order provides for:

  • Binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
  • The establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court (‘DPRC’); to investigate and resolve complaints regarding access to their data by US national security authorities;

The Executive Order requires US intelligence agencies to review their policies and procedures to implement these new safeguards.

These are significant improvements compared to the Privacy Shield. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from EU will have to subscribe to.

  1. What are the next steps in the process?

With the adoption of the Executive Order and its accompanying Regulations, the Commission can now move to the next steps, which include proposing a draft adequacy decision and launching its adoption procedure.

The adoption procedure for an adequacy decision consists of different steps: obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions.

Only after that, the European Commission can adopt the final adequacy decision in relation to the US. From that moment on, data will be able to flow freely and safely between the EU and US companies certified by the Department of Commerce under the new framework. US companies will be able to join the framework by committing to comply with a detailed set of privacy obligations.

  1. In what way is the new redress mechanism different from the previous Privacy Shield Ombudsperson?

The new Executive Order, together with the accompanying Regulations, establishes a new two-layer redress mechanism, with independent and binding authority.

Under the first layer, EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protection Officer’ of the US intelligence community. This person is responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights. 

Under the second level, individuals will have the possibility to appeal the decision of the Civil Liberties Protection Officer before the newly created Data Protection Review Court. The Court will be composed of members chosen from outside the US Government, appointed on the basis of specific qualifications, can only be dismissed for serious causes (such as being convicted of a crime, or being deemed mentally or physically unfit to perform the tasks) and cannot receive instructions from the government. The Data Protection Review Court will have powers to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies, and will be able to take binding remedial decisions. For example, if the DPRC would find that data was collected in violation of the safeguards provided in the Executive Order, it will be able to order the deletion of the data.

To further enhance the Court’s review, in each case, the Court will select a special advocate with relevant experience to support the Court, who will ensure that the complainant’s interests are represented before the Court and that the Court is well-informed of the factual and legal aspects of the case. This will ensure that both sides are represented, and introduces more guarantees in terms of fair trial, redress and due process.

These are significant improvements, compared to the mechanism that existed under the Privacy Shield. At that time, individuals could turn to an Ombudsperson, which was part of the US State Department and did not have similar investigatory or binding decision-making powers.

  1. Why does the Commission think that the Court of Justice of the EU will not strike down the agreement again?

The objective of the Commission in these negotiations has been to address the concerns raised by the Court of Justice of the EU in the Schrems II judgment and provide a durable and reliable legal basis for transatlantic data flows. This is reflected in the safeguards included in the Executive Order, regarding both the substantive limitation on US national security authorities’ access to data (necessity and proportionality) and the establishment of the new redress mechanism.

  1. What are the options available to companies in the meantime?

It is important to remember that an adequacy decision is not the only tool for international transfers.

Model clauses, which companies can introduce in their commercial contracts, are the most used mechanism to transfer data from the EU. Last year, the Commission adopted modernised ‘Standard Contractual Clauses’ to facilitate their use, including in light of the requirements set by the Court of justice in the Schrems II judgment. Practical guidance to companies relying on Standard Contractual Clauses for transferring data is also available.

All the safeguards that the Commission has agreed with the US Government in the area of national security (including the redress mechanism) will be available for all transfers to the US under the GDPR, regardless of the transfer tool used.