On 7 October 2022, President Joe Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. This order aims to reboot US-EU information transfers and is expected to make life easier for businesses. It will help achieve national security objectives and create a mechanism for people to lodge complaints if they believe that authorities have processed their personal data unlawfully. But how will this be implemented? What options are available to companies in the meantime? We’ve provided some insights below.
What is the Executive Order about?
The Executive Order creates an independent and impartial redress mechanism for Europeans whose personal data is transferred to the US. For example, the Order provides for a Data Protection Review Court (‘DPRC’) to investigate and resolve complaints from anyone regarding access to their data by US national security authorities. The Executive Order requires US intelligence agencies to review their policies and procedures to implement these new safeguards.
How is the executive order different from the Privacy Shield?
These are significant improvements compared to the Privacy Shield. The new executive order, together with the accompanying Regulations, creates two layers of redress, with binding authority. Under the first layer, EU individuals will be able to lodge a complaint with the Civil Liberties Protection Officer (CLPO). The CLPO will conduct an independent review of a complaint. Under the second level, individuals will be able to appeal the decision before the newly created DPRC. For example, if the DPRC finds that the data is in violation of the safeguards in the Executive Order, it will be able to order the deletion of the data. A CLPO and DPRC decision is binding on intelligence agencies.
These are significant improvements. Under the privacy shield, individuals could turn to an ombudsperson, which was part of the US State Department and did not have similar investigatory or binding decision-making powers.
What is the status of the Executive Order?
The European Commission (Commission) can now launch its own adoption procedure and propose a draft adequacy decision. The EU uses the term ‘adequacy’ to describe other countries, territories, or international organisations that it deems to provide an equivalent level of data protection to that which exists within the EU. The European Parliament has a right of scrutiny over adequacy decisions.
The adoption procedure for an adequacy decision has different steps:
- getting an opinion from the European Data Protection Board; and
- getting the green light from a committee of representatives of the EU Member States.
In September, the UK Parliament finally gave effect to a UK-US Data Bridge which will enable American companies approved to join the UK Extension to the EU-US Data Privacy Framework to receive UK personal data under the new Data Bridge.
What can companies do in the meantime?
An adequacy decision is not the only tool for international transfers. Model clauses are also a mechanism to transfer data from the EU. Companies can introduce these in their commercial contracts. All the safeguards that the Commission has agreed with the US Government will be available for all transfers to the US under the GDPR, regardless of the transfer tool used.
Actions you can take
- Dive into the details of the executive order by reading the fact sheet that the Whitehouse released.
- Keep updated on the latest data protection developments in America by following the consumerprivacyact.com website.
- Get more information about US, EU and Africa data transfers by reading our insights.
- Know how to comply with data protection laws in America by becoming a member of the Michalsons data protection programme and joining our Data Protection in America lens.
