Blog

FAQ: Executive Order on US-EU data transfers

Elena Morin, Director of Marketing
October 10, 2022
handshake with "EU-US data transfers"

On October 7, 2022, President Biden signed an Executive Order providing for binding safeguards and redress mechanisms for Europeans whose data is transferred to the U.S. The European Commission has said that this Executive Order will be the basis for an adequacy decision with the United States. That framework will address the concerns raised by the Court of Justice of the European Union (CJEU) in the Schrems II decision of July 2020 which rendered the Privacy Shield agreement invalid.

What does the new Executive Order do? 

It implements commitments made by the US in March’s “agreement in principle”. It’s focused on two commitments: safeguards for European personal data transferred to the US, and the establishment of mechanisms for redress. Specifically, it provides:

 Additional safeguards for US intelligence activities, including limiting access to European personal data by US intelligence agencies to “what is necessary and proportionate to protect national security”

 The establishment of a “multi-layer” redress mechanism to investigate and resolve complaints that personal information collected by US signals intelligence was collected in violation of applicable US law

 It also calls on the Privacy and Civil Liberties Oversight Board to review intelligence community policies and procedures to ensure they are consistent with this Executive Order, and to conduct an annual review of the redress process.

The European Commission believes that the CJEU is unlikely to strike down a new privacy agreement. Per the Commission, their objective in these negotiations “has been to address the concerns raised by the CJEU in the Schrems II judgment and provide a durable and reliable legal basis for transatlantic data flows. This is reflected in the safeguards included in the Executive Order, regarding both the substantive limitation on US national security authorities’ access to data (necessity and proportionality) and the establishment of the new redress mechanism.”

This is a very promising step towards resolving the invalidation of the Privacy Shield agreement.

How does this impact Sourcepoint?

Sourcepoint will maintain the existing safeguards and transfer mechanisms that were put into place before the Executive Order, but we will be monitoring the status of the adequacy decision and US regulations closely and adjusting our processes, as appropriate, to reflect changing requirements. We will keep our clients updated on any such changes.

When will the new adequacy EU-US data privacy framework be adopted?

Although it may be some time before an official adequacy decision is finalized, we see this as significant progress toward seamless cross-border transfers between the EU and the US.  According to the EU Commission’s Q&A , the next steps include proposing a draft adequacy decision and launching the adoption procedure. The adoption procedure would involve an opinion from the European Data Protection Board (EDPB), approval from an EU Member States committee, and scrutiny from the European Parliament. 

For additional information, read Biden’s Executive Order, the White House Fact Sheet about the order, and the Q&A from the European Commission.

Latest Blog Posts

FTC rulemaking and CPRA comment periods close

November 28, 2022

Comments from the News/Media Alliance requested that any FTC...

Google settles in multi-state location tracking suit

November 21, 2022

Google settled a multistate privacy lawsuit with 40 state Attorneys General based...

Colorado Posts Public Comments to CPA Draft Rules

November 14, 2022

The Data Protection and Digital Information Bill, which was...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]