Adapt transfer impact assessments!
Data exporters must include the US president’s new executive order in their transfer impact
On 7 October, US President Joe Biden issued the “Executive Order on Enhancing Safeguards for
United States Signals Intelligence Activities” (“E.O.”), laying the groundwork for the
implementation of the new “EU-US Privacy Framework” (“Framework”). With the enactment of
the E.O., the legal situation in the US has changed. This not only forms the basis for the EU
Commission’s planned adequacy decision, but already is having a direct impact on data transfers
to the United States.
1. What does the E.O. regulate?
The E.O. aims to address the ECJ’s concerns from the “Schrems II” Decision regarding data
transfers to the United States. To this end, the E.O. contains new rules of engagement for US
intelligence agencies and provides affected individuals with new remedies designed to ensure
adequate protection of individual privacy and liberties. The E.O. regulates in particular:
- Additional safeguards for US intelligence agencies: Surveillance measures may now only be carried out if they are necessary for national security and do not disproportionately affect the privacy and freedoms of the person concerned. In addition, procedures for handling collected data must be implemented to reduce (further) processing to a minimum.
- Two-tier appeal mechanism: EU citizens can now file a complaint against data access by US intelligence agencies by appealing to the agency’s internal data protection officer in a first step and to the new “Data Protection Review Court” in a second step.
2. Effects of the E.O. in practice
The E.O. has the force of law and has direct effect. The legal situation in the United States has therefore already changed at this point in time. However, data transfers on the basis of the adequacy decision will only be possible after its entry into force. Data exporters must therefore continue to rely on appropriate safeguards, such as the EU Commission’s current Standard Contractual Clauses (SCC) , and conduct a transfer impact assessment (TIA). It must be taken into account that a TIA is not a static document. Instead, the legal situation and data protection practice in the third country must be continuously monitored and the TIA must be adapted at least in the event of significant changes. Data exporters can therefore already benefit from the new E.O. and must incorporate the changes into their risk assessment.
3. What’s next?
The EU Commission will issue a draft adequacy decision based on the E.O. and initiate an adoption procedure. Data protection supervisory authorities will be involved through the European Data Protection Board, which will issue an opinion. Due to the elaborate process, it is expected to take until spring 2023 for the final adequacy decision to be announced. Once the adequacy decision enters into force, data exporters will be able to transfer personal data to the United States without the use of further appropriate safeguards if the recipient in the US completes the U.S. Department of Commerce’s self-certification process and has signed on to the Framework’s data protection principles.
It will be some time before the EU Commission’s new adequacy decision for data transfers to the US is adopted. However, companies that transfer data to the US should already be aware of the immediate impact of the E.O. and adjust the risk assessment in their TIAs accordingly.back