Relief may be coming for transatlantic data transfers, but expect renewed challenges from opponents in Europe.

On October 7, 2022, President Biden signed a highly-anticipated Executive Order implementing commitments the U.S. made under the new European Union-U.S. Data Privacy Framework (the “Framework”) announced earlier this year. The Framework is viewed as a successor to the European Union-U.S. Privacy Shield Framework (“Privacy Shield”), which was invalidated by the European Court of Justice in 2020. If ratified by the appropriate European Union (“EU”) entities, the Framework would provide qualifying companies with a legal basis to transfer personal data from the EU to the U.S. The Executive Order lays the groundwork for the European Commission (“EC”) to provide an adequacy determination for the Framework, which is expected to occur in 2023.

Why is the Framework important?

The EU General Data Protection Regulation (“GDPR”) prohibits the transfer of EU residents’ personal data to countries that do not provide an “adequate” (i.e., essentially equivalent) level of protection for personal data unless additional “appropriate safeguards” are implemented.

The U.S. is not considered an “adequate” jurisdiction by the EC, and until 2020, the Privacy Shield, a self-certification framework administered by the U.S. Department of Justice and enforced by the Federal Trade Commission, was a flexible and popular compliance mechanism for U.S. companies to lawfully transfer personal data from the EU to the U.S. In 2020, however, the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield in the landmark Schrems II decision due to concerns about the scope of U.S. intelligence agencies’ surveillance activities.

Since the Schrems II decision, companies that previously relied on the Privacy Shield have had to deal with significant uncertainty, as well as commercial and regulatory risk, over the legality of their data transfers. While there are other legal bases for the transfer of personal data, such as standard contractual clauses, Binding Corporate Rules, or “derogations” (i.e., exceptions) set forth in the GDPR, these options do not suit every type of company or business, in particular where complex data flows are involved. The Framework – commonly referred to as “Privacy Shield 2.0”— is intended to replace the Privacy Shield and provide a legal basis (and more legal certainty) for companies to transfer personal data from the EU to the U.S.

What does the Executive Order do?

The Executive Order addresses two areas of concern that the CJEU cited in invalidating the Privacy Shield: (1) the lack of meaningful necessity and proportionality limitations on U.S. surveillance programs; and (2) insufficient redress rights for individuals to challenge unlawful government surveillance.

Necessity and Proportionality Limitations. The Executive Order requires that signals intelligence collection can only be conducted in pursuit of twelve enumerated “legitimate objectives” relating to national security. It also identifies several “prohibited objectives.” U.S. intelligence agencies are also required to assess and determine that proposed signals intelligence collection operations are both “necessary” and “proportionate” in relation to the validated intelligence priority for which they have been authorized.

Redress Rights. The Executive Order also creates a system for EU residents to obtain independent and binding review and redress of claims that their personal information was unlawfully collected or processed by U.S. intelligence agencies. The initial review will be conducted by the Civil Liberties Protection Officer (“CLPO”) in the Office of the Director of National Intelligence. The Executive Order also directs the U.S. Attorney General to establish a new Data Protection Review Court within the Department of Justice. Individuals will be able to appeal decisions of the CLPO to the Data Protection Review Court, which will have the authority to conduct an independent and binding review of the CLPO’s decisions.

What happens next?

Although the EC responded positively to the Executive Order, there are still several steps that must occur before the Framework can go into effect. The Framework will need to be ratified by the European Data Protection Board (“EDPB”), the European Parliament, and the EC. The Framework is expected to become operative in March 2023, although the exact timeline for ratification is still uncertain.

While the Framework, like its Privacy Shield predecessor, remains open to challenge in the European court system, its novel system of redress for EU residents (with resulting orders being binding on U.S. intelligence agencies) means it has a better chance of withstanding an invalidation action in court.