EU–U.S. Data Transfers – what we know now

From Executive Order to a new Privacy Shield?

The EU’s General Data Protection Regulation requires that all transfers of personal data outside the EU have a legal basis, i.e., a transfer mechanism. Such transfer mechanisms include, inter alia, the Standard Contractual Clauses approved by the European Commission and adequacy decisions in which the level of data protection of a specific country is deemed adequate from the EU’s perspective. Concerning the USA, an adequacy decision had earlier been made based on the Privacy Shield framework, but the CJEU overturned the decision in its Schrems II judgement. In the Schrems II judgement, the CJEU deemed, among other things, that the rights of the authorities to view and use personal data under U.S. legislation do not meet the requirements of the EU’s data protection legislation and that the EU citizens’ remedies to address the processing of their personal data in the USA are insufficient. That is why the previous Privacy Shield framework was overturned.

It is important to note that, in addition to actual transfers, situations where personal data can be accessed from the USA, for example as part of a cloud-based service provided by a company located in the USA, are also considered personal data transfers. This means that the regulation on data transfers is a topical issue for the majority of Finnish companies.

President Biden’s new Executive Order includes several sections that are meant to bolster the safeguards for data protection in the signals intelligence activities of the USA and thus address the concerns brought up by the CJEU.

The Executive Order creates, among other things, a multi-layer mechanism for private individuals from countries that meet the requirements to obtain legally binding re-examination and remedy if they believe that the USA has collected or processed their personal data through signals intelligence in violation of applicable legislation. The first instance of the appeal system is the Civil Liberties Protection Officer in the Office of the Director of National Intelligence of the United States. According to the Executive Order, the second instance is an independent and impartial court, the Data Protection Review Court. Its decisions will be binding on the U.S. intelligence community.

Inspired by the Schrems II judgement, the Executive Order also specifies the restrictions and safeguards that are to ensure the protection of basic rights of the EU citizens in each stage of the oversight activities, from the collection of data to further processing and storage. It seems that the purpose of the safeguards is to meet the CJEU’s requirements to only collect data necessary to advance a specific intelligence priority and only to the extent and in a manner proportionate to that priority.

Next steps

The European Commission will review the text and prepare a draft adequacy decision on the data protection of the USA. Once the draft decision has been issued, the Commission must hear the Data Protection Board and the Member States, although their views will not be binding. The process will take months, and a final adequacy decision is not expected before the spring of 2023. The adequacy decision based on the EU–U.S. Data Privacy Framework can be used as a legal basis under the General Data Protection Regulation for transfers of personal data to the USA starting from the time the decision is published in the Official Journal of the European Union.

It should also be noted that the Executive Order strengthens the level of data protection in the USA even before the publication of the adequacy decision as the provisions included therein obligate the intelligence authorities to take action to implement the safeguards included in the Executive Order right away. The data protection safeguards included in the Executive Order can be taken into account, for example, in the assessment of the level of data protection in the USA and the related supplementary measures when using the Standard Contractual Clauses approved by the Commission as a transfer mechanism.The Standard Contractual Clauses remain an essential transfer mechanism for transferring personal data outside the European Union.

A permanent solution or a temporary one?

The EU and the USA have been working on the new framework for a long time, but it is still very likely that the Commission’s expected adequacy decision will be disputed in the CJEU a third time. The privacy activists behind the overturning of the two previous frameworks (Privacy Shield and its predecessor Safe Harbor) have presented that the contemplated new safeguards of the framework do not meet the requirements of the CJEU.

The activists have stated, for example, that the USA’s interpretation of the concepts of proportionality and necessity of collecting data differs from what these concepts mean in the EU law and the case law of the CJEU. The activists have also challenged the efficiency of the safeguards laid down in the Executive Order: it has been proposed that the Data Protection Review Court of the second instance of the appeal system is in fact not the independent and impartial court that the CJEU required in its decision. The Executive Order also does not prohibit bulk collection of signals intelligence, which the CJEU has criticised, although the Order does set more detailed requirements for bulk collection.

Thus, it is unclear whether the third attempt to agree on a framework for data transfers between the EU and the USA will be successful or whether it will ultimately be overturned by the CJEU. Considering the great significance of the legal certainty concerning data transfers to companies operating in the EU and the USA, one can only hope that the solution will stand the test of time.