Following the agreement on a new US-EU data protection framework between the US President and the President of the European Commission, the White House published the long-awaited “executive order” regarding the new possible agreement. In it, the U.S. government outlines new legal safeguards on access and use of personal data and moves in the right direction on the major point of contention on procedural safeguards for data subjects.
With the invalidation of the EU-US Privacy Shield due to the ECJ’s “Schrems II” ruling, the EU-US data exchange was once again in limbo. In August 2020, the EU and the US resumed talks to resolve this situation as quickly as possible. About six months after the agreement on a new US-EU data protection framework between US President Joe Biden and European Commission President Ursula von der Leyen, the White House published the long-awaited “executive order” on the new possible agreement. In it, Joe Biden’s administration outlines new legal safeguards on access and use of personal data and moves in the right direction on the major point of contention on procedural safeguards for data subjects.
In this new executive order, the US government writes that it will strengthen privacy and civil liberties safeguards for possible US spying activities and build in mechanisms that allow for independent, binding review and the opportunity for data subjects to have an accessible and effective remedy. A remedy is available to the data subject if he or she believes that a US signals intelligence operation violated applicable US law in collecting his or her personal information.
The EU is currently drafting an adequacy decision. An adoption procedure will decide on the ratification of these new US obligations. Due to the length of the ratification process, it is expected that the data protection framework will be finalised by March 2023 at the latest.
What does this new US regulation look like and how much concession to the EU is really behind it?
As already mentioned, one reason for the failure of the Privacy Shield was the lack of legal guarantees for data subjects in the US. In the new agreement, the possibility of legal remedies and proportionality in the case of interventions by the US spy services in connection with national security checks in the USA are to be brought into line above all. To this end, the USA wants to introduce a multi-level mechanism. It is intended to provide an independent and binding review and remedy for individuals on privacy-related issues. The second half of this mechanism involves a privacy review tribunal, the establishment of which would be untertaken by the US Department of Justice.
US national security agencies must include new safeguards in their policies. These focus on purpose limitation and necessity in handling data. To ensure remediation of incidents where policies are not followed, the responsibilities of legal, regulatory and compliance officials will be expanded.
According to the EU Commission, the Appellate Court will ensure greater protection of EU citizens’ data. Compared to the mechanism that existed under the Privacy Shield, the changes in terms of redress are a significant improvement. The complaint to an ombudsperson, which was possible until now, does not provide a sufficiently high level of protection due to a lack of investigative powers or binding decision-making powers. However, there are not only positive comments to be made on the “executive order”. For example, one can react negatively to the plan for the establishment of the court, as it is fraught with loopholes. Ambiguities arise with regard to the “special advocate” or the status of the Data Protection Review Court (DPRC) as a constitutional court.
Impact on business
Businesses have had to deal with many ambiguities in the past. For example, they did not know whether their compliance obligations for data transfers were sufficient. The latest developments will especially please US companies doing business in the EU, as they can now give concrete assurances to their customers. Companies certified under the current Privacy Shield framework can take advantage of the revised version of the Shield when transferring data to the US. This transfer mechanism protects data transfers to the US in a much simpler way than the complex standard contractual clauses do. Companies will no longer have to deal with this complexity, except when they are lawfully transferring data to other countries. The U.S. Department of Commerce will issue further updates and guidance to Privacy Shield participants on how companies can incorporate these changes into their privacy policies.
According to the European Commission, the executive order introduces new binding safeguards to address all the issues raised by the EU Court of Justice. In this way, a permanent, reliable legal basis for transatlantic data traffic is to be created. The limits identified by the ECJ are well taken into account by the executive order. The first hurdle that had to be overcome was the surveillance issue. The US actively contributed to overcoming this enormous hurdle.
The fact that the EU will initiate the adequacy procedure makes it clear that the government representatives of both the US and the EU are of one mind, namely that there is substantial equivalence between the data protection framework and the EU standards.