18.10.2022

EU–U.S. Data Transfers – what we know now

Related services

Many companies have been closely following the development of the interpretation practice concerning international data transfers ever since the Court of Justice of the European Union (the CJEU) invalidated the Privacy Shield framework as a transfer mechanism for EU–U.S. data transfers in its Schrems II judgment in July 2020. On Friday 7 October, Joe Biden, President of the United States, issued the long-awaited Executive Order to address the requirements presented in the decision of the CJEU. The Order is meant to serve as the foundation for a new framework that would form the legal basis for the transfer of personal data from the EU to the USA (the EU–U.S. Data Privacy Framework). The Executive Order is based on the principles that the European Commission and the USA agreed upon in March 2022.

From Executive Order to a new Privacy Shield?

The EU’s General Data Protection Regulation requires that all transfers of personal data outside the EU have a legal basis, i.e., a transfer mechanism. Such transfer mechanisms include, inter alia, the Standard Contractual Clauses approved by the European Commission and adequacy decisions in which the level of data protection of a specific country is deemed adequate from the EU’s perspective. Concerning the USA, an adequacy decision had earlier been made based on the Privacy Shield framework, but the CJEU overturned the decision in its Schrems II judgement. In the Schrems II judgement, the CJEU deemed, among other things, that the rights of the authorities to view and use personal data under U.S. legislation do not meet the requirements of the EU’s data protection legislation and that the EU citizens’ remedies to address the processing of their personal data in the USA are insufficient. That is why the previous Privacy Shield framework was overturned.

It is important to note that, in addition to actual transfers, situations where personal data can be accessed from the USA, for example as part of a cloud-based service provided by a company located in the USA, are also considered personal data transfers. This means that the regulation on data transfers is a topical issue for the majority of Finnish companies.

President Biden’s new Executive Order includes several sections that are meant to bolster the safeguards for data protection in the signals intelligence activities of the USA and thus address the concerns brought up by the CJEU.

The Executive Order creates, among other things, a multi-layer mechanism for private individuals from countries that meet the requirements to obtain legally binding re-examination and remedy if they believe that the USA has collected or processed their personal data through signals intelligence in violation of applicable legislation. The first instance of the appeal system is the Civil Liberties Protection Officer in the Office of the Director of National Intelligence of the United States. According to the Executive Order, the second instance is an independent and impartial court, the Data Protection Review Court. Its decisions will be binding on the U.S. intelligence community.

Inspired by the Schrems II judgement, the Executive Order also specifies the restrictions and safeguards that are to ensure the protection of basic rights of the EU citizens in each stage of the oversight activities, from the collection of data to further processing and storage. It seems that the purpose of the safeguards is to meet the CJEU’s requirements to only collect data necessary to advance a specific intelligence priority and only to the extent and in a manner proportionate to that priority.

Next steps

The European Commission will review the text and prepare a draft adequacy decision on the data protection of the USA. Once the draft decision has been issued, the Commission must hear the Data Protection Board and the Member States, although their views will not be binding. The process will take months, and a final adequacy decision is not expected before the spring of 2023. The adequacy decision based on the EU–U.S. Data Privacy Framework can be used as a legal basis under the General Data Protection Regulation for transfers of personal data to the USA starting from the time the decision is published in the Official Journal of the European Union.

It should also be noted that the Executive Order strengthens the level of data protection in the USA even before the publication of the adequacy decision as the provisions included therein obligate the intelligence authorities to take action to implement the safeguards included in the Executive Order right away. The data protection safeguards included in the Executive Order can be taken into account, for example, in the assessment of the level of data protection in the USA and the related supplementary measures when using the Standard Contractual Clauses approved by the Commission as a transfer mechanism.The Standard Contractual Clauses remain an essential transfer mechanism for transferring personal data outside the European Union.

A permanent solution or a temporary one?

The EU and the USA have been working on the new framework for a long time, but it is still very likely that the Commission’s expected adequacy decision will be disputed in the CJEU a third time. The privacy activists behind the overturning of the two previous frameworks (Privacy Shield and its predecessor Safe Harbor) have presented that the contemplated new safeguards of the framework do not meet the requirements of the CJEU.

The activists have stated, for example, that the USA’s interpretation of the concepts of proportionality and necessity of collecting data differs from what these concepts mean in the EU law and the case law of the CJEU. The activists have also challenged the efficiency of the safeguards laid down in the Executive Order: it has been proposed that the Data Protection Review Court of the second instance of the appeal system is in fact not the independent and impartial court that the CJEU required in its decision. The Executive Order also does not prohibit bulk collection of signals intelligence, which the CJEU has criticised, although the Order does set more detailed requirements for bulk collection.

Thus, it is unclear whether the third attempt to agree on a framework for data transfers between the EU and the USA will be successful or whether it will ultimately be overturned by the CJEU. Considering the great significance of the legal certainty concerning data transfers to companies operating in the EU and the USA, one can only hope that the solution will stand the test of time.

Latest insights

Article published 10.10.2024 – Data & Technology New act on dual-use items entered into force in September – what companies need to know
Kim Parviainen
Lauri Laatunen

Kim Parviainen & Lauri Laatunen

 Article published 5.9.2024 – Data & Technology Technology acquisitions can boost companies’ growth – or cause them to fail
Topi Lusenius
Anders Forss
Kim Parviainen

Topi Lusenius, Anders Forss & Kim Parviainen

 Article published 6.5.2024 – Employment Outsourcing company functions – four key points for success
Tomi Kemppainen
Kim Parviainen
Eija Warma-Lehtinen

Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen

 Article published 7.12.2023 – Data & Technology Agreements define data sharing and re-use
Insights

Latest references

Lantmännen – Acquisition of Leipurin from Aspo
We advised Lantmännen ek för in its contemplated acquisition of Leipurin from Aspo Plc. Lantmännen is an agricultural cooperative and Northern Europe’s leader in agriculture, machinery, bioenergy and food products. Lantmännen is owned by 17,000 Swedish farmers and has 12,000 employees in over 20 countries. Leipurin is a leading Nordic supplier of bakery ingredients, equipment, and expert services to professional bakeries, confectioneries, and food manufacturers. The company operates across Finland, Sweden, and the Baltic countries with subsidiaries located in the aforementioned countries, providing comprehensive solutions to the baking industry. The closing of the transaction remains subject to regulatory approvals.
Case published 25.8.2025
Oomi  – Expansion into mobile telecommunications
We assisted Oomi Oy in its expansion into the mobile telecommunications market with the launch of Oomi Mobiili, a new MVNO brand. Our work covered the preceding due diligence process as well as structuring and negotiating key partner agreements, laying a solid foundation for Oomi’s entry into the new market. Oomi Mobiili will operate as a virtual mobile network operator, offering customers the option to purchase a mobile subscription together with their electricity contract. The phased launch is set to begin in autumn 2025, with nationwide availability targeted for early 2026. 
Case published 15.8.2025
Nevel – Acquisition of Labio’s business
We advised Nevel Oy in its acquisition of the business of Labio Oy. Lahti Aqua Oy and Salpakierto Oy sold their entire shareholdings in Labio to Nevel, expanding Nevel’s already significant biogas portfolio. The transaction will have no impact on Lahti Aqua’s water utility operations or Salpakierto’s municipal waste management responsibilities. Labio’s operations and customer relationships will continue as before. ‘This partnership is a natural next step for us as we continue investing in sustainable material efficiency and renewable energy solutions. By integrating Labio’s comprehensive offerings and expertise, we can provide customers with a strong platform for material circularity. We are also strengthening our market position as one of Finland’s leading material efficiency solution providers,’ says Ville Koikkalainen, Director of Industrial and Biogas Business at Nevel. Nevel is an energy infrastructure company offering advanced, climate-positive solutions for industry and real estate. It operates more than 130 energy production plants and manages over 40 district heating networks. Nevel’s annual turnover is EUR 150 million, and it employs 190 experts in Finland, Sweden and Estonia.
Case published 16.7.2025
Finnish Motor Insurers’ Centre – Precedent concerning patient data processing and repeal of administrative fine
The Supreme Administrative Court (SAC) issued a significant precedent (decision KHO:2025:23) in a case in which it found that the Finnish Motor Insurers’ Centre (Liikennevakuutuskeskus, LVK) processed patient data in accordance with the requirements concerning fairness, data minimisation, and privacy by design and by default when deciding on compensation claims. We represented LVK in this case in which the SAC upheld the Administrative Court’s decision to repeal the EUR 52,000 administrative fine imposed on LVK by the Sanctions Board of the Office of the Data Protection Ombudsman. The SAC also confirmed the Administrative Court’s decision, which, as far as we know, was the first of its kind in Finland, ordering the Office of the Data Protection Ombudsman to reimburse some of our client’s legal costs. The decision bears great significance for the insurance industry as a whole. The crux of the matter were LVK’s information requests under the Motor Liability Insurance Act for patient data that were essential in determining insurance or compensation claims. In certain cases, making a decision may require extensive patient data. The Office of the Data Protection Ombudsman had found that LVK had systematically made overly broad information requests infringing Articles 5 and 25 of the GDPR and that the information should have been provided in the form of separate medical opinions. The Administrative Court repealed the Data Protection Ombudsman’s decision and found that patient records from medical appointments are, as a general rule, essential in establishing causality in compensation matters. It also stated that the tasks related to the consideration of compensation matters are specifically the core tasks of the insurance company and not of the controller of patient data. Furthermore, the Administrative Court found no evidence indicating that LVK would have systematically made overly broad information requests. ‘Once again, our collaboration with C&S was seamless throughout this extensive process, and we could trust that our case was in expert hands’, says Visa Kronbäck, Chief Legal Officer of the Insurance Centre. The full decision is available on the SAC website (in Finnish):  KHO:2025:23.
Case published 18.6.2025
All cases