FAQ: Executive Order on US-EU data transfers

On October 7, 2022, President Biden signed an Executive Order providing for binding safeguards and redress mechanisms for Europeans whose data is transferred to the U.S. The European Commission has said that this Executive Order will be the basis for an adequacy decision with the United States. That framework will address the concerns raised by the Court of Justice of the European Union (CJEU) in the Schrems II decision of July 2020 which rendered the Privacy Shield agreement invalid.

What does the new Executive Order do? 

It implements commitments made by the US in March’s “agreement in principle”. It’s focused on two commitments: safeguards for European personal data transferred to the US, and the establishment of mechanisms for redress. Specifically, it provides:

• Additional safeguards for US intelligence activities, including limiting access to European personal data by US intelligence agencies to “what is necessary and proportionate to protect national security”

• The establishment of a “multi-layer” redress mechanism to investigate and resolve complaints that personal information collected by US signals intelligence was collected in violation of applicable US law

• It also calls on the Privacy and Civil Liberties Oversight Board to review intelligence community policies and procedures to ensure they are consistent with this Executive Order, and to conduct an annual review of the redress process.

The European Commission believes that the CJEU is unlikely to strike down a new privacy agreement. Per the Commission, their objective in these negotiations “has been to address the concerns raised by the CJEU in the Schrems II judgment and provide a durable and reliable legal basis for transatlantic data flows. This is reflected in the safeguards included in the Executive Order, regarding both the substantive limitation on US national security authorities’ access to data (necessity and proportionality) and the establishment of the new redress mechanism.”

This is a very promising step towards resolving the invalidation of the Privacy Shield agreement.

How does this impact Sourcepoint?

Sourcepoint will maintain the existing safeguards and transfer mechanisms that were put into place before the Executive Order, but we will be monitoring the status of the adequacy decision and US regulations closely and adjusting our processes, as appropriate, to reflect changing requirements. We will keep our clients updated on any such changes.

When will the new adequacy EU-US data privacy framework be adopted?

Although it may be some time before an official adequacy decision is finalized, we see this as significant progress toward seamless cross-border transfers between the EU and the US.  According to the EU Commission’s Q&A , the next steps include proposing a draft adequacy decision and launching the adoption procedure. The adoption procedure would involve an opinion from the European Data Protection Board (EDPB), approval from an EU Member States committee, and scrutiny from the European Parliament. 

For additional information, read Biden’s Executive Order, the White House Fact Sheet about the order, and the Q&A from the European Commission.