On 7 October 2022, President Biden issued an executive order directing the US to implement its commitments under the EU-US Data Privacy Framework (also known as the “Privacy Shield 2.0”). This Framework replaces the EU-US Privacy Shield that was invalidated by the Court of Justice of the European Union (CJEU) in 2020 due to the CJEU’s concerns with the US Government’s surveillance activities and their perceived lack of adequate safeguards and remedies for the personal data of individuals located in the EU.
The Framework places additional restrictions on US intelligence agencies, such as requiring that certain intelligence activities be conducted only in pursuit of defined national security objectives. The Framework also provides a two-tier grievance redress mechanism regarding how these agencies collect and use such personal data in order to address the concerns raised by the CJEU.
In the “Questions & Answers” released by the European Commission in response to this Framework, the European Commission called the measures “significant improvements” compared to the Privacy Shield, and it will now move on to the next steps, which include proposing a draft adequacy decision and launching its adoption procedure.
Once the final adequacy decision is issued, personal data will be able to flow freely between the EU and US companies certified by the Department of Commerce under the new Privacy Shield.
Although, following Brexit, the Framework will not address transfers of personal data to the US from the UK, the UK Government has welcomed the publication of the executive order, stating that it “strengthens the safeguards and establishes new redress routes for UK data processed by US authorities” in its public announcement following the order.
This announcement also stated that the UK government intends to "work expediently to review the enhanced safeguards and redress mechanism”, with the view to prepare a UK-US adequacy regulation in Parliament in 2023, alongside guidance for organisations and individuals. Indeed, commentators have stated that the UK is poised to move quickly regarding the adequacy decision in order to highlight the benefits of Brexit.
UK – US data flows
The US stated in a simultaneous announcement that it intends to work to designate the UK as a “qualifying state” under the executive order, which would enable UK individuals who submit qualifying complaints to access the redress mechanism established under the executive order in the form of investigations by the Civil Liberties Protection Officer and then a second layer of review by the new Data Protection Review Court (which is currently being established by the Attorney General).
According to the US, this is a significant step forward in its work on bilateral cross-border data flows and will enable the free and secure flow of personal data from the UK to the US.
However, as stated above, for now the executive order does not currently result in an adequacy regulation in respect of transfers from the UK to the US under the UK GDPR, and this is still to be addressed over the coming months. As a result of this, organisations in the UK should continue to rely upon existing data transfer mechanisms, including undertaking Transfer Impact Assessments (TIAs) and Data Protection Impact Assessments (DPIAs) when considering personal data transfers from individuals located in the UK to the US. However, as the additional safeguards contained in the executive order take immediate effect, they may taken into account by organisations when conducting TIAs, as these safeguards should lower the risk associated with such transfers.
If the UK’s adequacy regulation for the US is more lenient than the European Commission’s adequacy decision under the new Privacy Shield, this may increase the risk of the UK losing its adequacy status with the EU when the decision is next reviewed in 2025, or even before. However, the issuing of this executive order and the EU’s positive response does seem to reduce the threat to UK adequacy in relation to the EU’s concerns of a separate UK-US agreement.
UK organisations will hope that the US’ reformed data protection practices will result in reducted barriers to international transfers whilst also maintaining a cooporative relationship with the EU. Jonathan Kirsop Pinsent Masons LLP
Article provided by INPLP member: Jonathan Kirsop (Pinsent Masons LLP, United Kingdom)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)