New legal situa­ti­on in the USA

Adapt trans­fer impact assessments!

Data export­ers must include the US president’s new exe­cu­ti­ve order in their trans­fer impact
assess­ment.

On 7 Octo­ber, US Pre­si­dent Joe Biden issued the “Exe­cu­ti­ve Order on Enhan­cing Safe­guards for
United Sta­tes Signals Intel­li­gence Acti­vi­ties” (“E.O.”), lay­ing the ground­work for the
imple­men­ta­ti­on of the new “EU-US Pri­va­cy Frame­work” (“Frame­work”). With the enact­ment of
the E.O., the legal situa­ti­on in the US has chan­ged. This not only forms the basis for the EU
Commission’s plan­ned ade­quacy decis­i­on, but alre­a­dy is having a direct impact on data trans­fers
to the United States.

1. What does the E.O. regulate?

The E.O. aims to address the ECJ’s con­cerns from the “Schrems II” Decis­i­on regar­ding data
trans­fers to the United Sta­tes. To this end, the E.O. con­ta­ins new rules of enga­ge­ment for US
intel­li­gence agen­ci­es and pro­vi­des affec­ted indi­vi­du­als with new reme­dies desi­gned to ensu­re
ade­qua­te pro­tec­tion of indi­vi­du­al pri­va­cy and liber­ties. The E.O. regu­la­tes in particular:

• Addi­tio­nal safe­guards for US intel­li­gence agen­ci­es: Sur­veil­lan­ce mea­su­res may now only be car­ri­ed out if they are neces­sa­ry for natio­nal secu­ri­ty and do not dis­pro­por­tio­na­te­ly affect the pri­va­cy and free­doms of the per­son con­cer­ned. In addi­ti­on, pro­ce­du­res for hand­ling coll­ec­ted data must be imple­men­ted to redu­ce (fur­ther) pro­ces­sing to a minimum.
• Two-tier appeal mecha­nism: EU citi­zens can now file a com­plaint against data access by US intel­li­gence agen­ci­es by appe­al­ing to the agency’s inter­nal data pro­tec­tion offi­cer in a first step and to the new “Data Pro­tec­tion Review Court” in a second step.

2. Effects of the E.O. in practice

The E.O. has the force of law and has direct effect. The legal situa­ti­on in the United Sta­tes has the­r­e­fo­re alre­a­dy chan­ged at this point in time. Howe­ver, data trans­fers on the basis of the ade­quacy decis­i­on will only be pos­si­ble after its ent­ry into force. Data export­ers must the­r­e­fo­re con­ti­nue to rely on appro­pria­te safe­guards, such as the EU Commission’s cur­rent Stan­dard Con­trac­tu­al Clau­ses (SCC) , and con­duct a trans­fer impact assess­ment (TIA). It must be taken into account that a TIA is not a sta­tic docu­ment. Ins­tead, the legal situa­ti­on and data pro­tec­tion prac­ti­ce in the third coun­try must be con­ti­nuous­ly moni­to­red and the TIA must be adapt­ed at least in the event of signi­fi­cant chan­ges. Data export­ers can the­r­e­fo­re alre­a­dy bene­fit from the new E.O. and must incor­po­ra­te the chan­ges into their risk assessment.

3. What’s next?

The EU Com­mis­si­on will issue a draft ade­quacy decis­i­on based on the E.O. and initia­te an adop­ti­on pro­ce­du­re. Data pro­tec­tion super­vi­so­ry aut­ho­ri­ties will be invol­ved through the Euro­pean Data Pro­tec­tion Board, which will issue an opi­ni­on. Due to the ela­bo­ra­te pro­cess, it is expec­ted to take until spring 2023 for the final ade­quacy decis­i­on to be announ­ced. Once the ade­quacy decis­i­on enters into force, data export­ers will be able to trans­fer per­so­nal data to the United Sta­tes wit­hout the use of fur­ther appro­pria­te safe­guards if the reci­pi­ent in the US com­ple­tes the U.S. Depart­ment of Commerce’s self-certification pro­cess and has signed on to the Framework’s data pro­tec­tion principles.

Con­clu­si­on

It will be some time befo­re the EU Commission’s new ade­quacy decis­i­on for data trans­fers to the US is adopted. Howe­ver, com­pa­nies that trans­fer data to the US should alre­a­dy be awa­re of the imme­dia­te impact of the E.O. and adjust the risk assess­ment in their TIAs accordingly.