New legal situa­ti­on in the USA

Adapt trans­fer impact assessments!

Data export­ers must include the US president’s new exe­cu­ti­ve order in their trans­fer impact

On 7 Octo­ber, US Pre­si­dent Joe Biden issued the “Exe­cu­ti­ve Order on Enhan­cing Safe­guards for
United Sta­tes Signals Intel­li­gence Acti­vi­ties”
(“E.O.”), lay­ing the ground­work for the
imple­men­ta­ti­on of the new “EU-US Pri­va­cy Frame­work” (“Frame­work”). With the enact­ment of
the E.O., the legal situa­ti­on in the US has chan­ged. This not only forms the basis for the EU
Commission’s plan­ned ade­quacy decis­i­on, but alre­a­dy is having a direct impact on data trans­fers
to the United States.

1. What does the E.O. regulate?

The E.O. aims to address the ECJ’s con­cerns from the “Schrems II” Decis­i­on regar­ding data
trans­fers to the United Sta­tes. To this end, the E.O. con­ta­ins new rules of enga­ge­ment for US
intel­li­gence agen­ci­es and pro­vi­des affec­ted indi­vi­du­als with new reme­dies desi­gned to ensu­re
ade­qua­te pro­tec­tion of indi­vi­du­al pri­va­cy and liber­ties. The E.O. regu­la­tes in particular:

  • Addi­tio­nal safe­guards for US intel­li­gence agen­ci­es: Sur­veil­lan­ce mea­su­res may now only be car­ri­ed out if they are neces­sa­ry for natio­nal secu­ri­ty and do not dis­pro­por­tio­na­te­ly affect the pri­va­cy and free­doms of the per­son con­cer­ned. In addi­ti­on, pro­ce­du­res for hand­ling coll­ec­ted data must be imple­men­ted to redu­ce (fur­ther) pro­ces­sing to a minimum.
  • Two-tier appeal mecha­nism: EU citi­zens can now file a com­plaint against data access by US intel­li­gence agen­ci­es by appe­al­ing to the agency’s inter­nal data pro­tec­tion offi­cer in a first step and to the new “Data Pro­tec­tion Review Court” in a second step.

2. Effects of the E.O. in practice

The E.O. has the force of law and has direct effect. The legal situa­ti­on in the United Sta­tes has the­r­e­fo­re alre­a­dy chan­ged at this point in time. Howe­ver, data trans­fers on the basis of the ade­quacy decis­i­on will only be pos­si­ble after its ent­ry into force. Data export­ers must the­r­e­fo­re con­ti­nue to rely on appro­pria­te safe­guards, such as the EU Commission’s cur­rent Stan­dard Con­trac­tu­al Clau­ses (SCC) , and con­duct a trans­fer impact assess­ment (TIA). It must be taken into account that a TIA is not a sta­tic docu­ment. Ins­tead, the legal situa­ti­on and data pro­tec­tion prac­ti­ce in the third coun­try must be con­ti­nuous­ly moni­to­red and the TIA must be adapt­ed at least in the event of signi­fi­cant chan­ges. Data export­ers can the­r­e­fo­re alre­a­dy bene­fit from the new E.O. and must incor­po­ra­te the chan­ges into their risk assessment.

3. What’s next?

The EU Com­mis­si­on will issue a draft ade­quacy decis­i­on based on the E.O. and initia­te an adop­ti­on pro­ce­du­re. Data pro­tec­tion super­vi­so­ry aut­ho­ri­ties will be invol­ved through the Euro­pean Data Pro­tec­tion Board, which will issue an opi­ni­on. Due to the ela­bo­ra­te pro­cess, it is expec­ted to take until spring 2023 for the final ade­quacy decis­i­on to be announ­ced. Once the ade­quacy decis­i­on enters into force, data export­ers will be able to trans­fer per­so­nal data to the United Sta­tes wit­hout the use of fur­ther appro­pria­te safe­guards if the reci­pi­ent in the US com­ple­tes the U.S. Depart­ment of Commerce’s self-certification pro­cess and has signed on to the Framework’s data pro­tec­tion principles.


It will be some time befo­re the EU Commission’s new ade­quacy decis­i­on for data trans­fers to the US is adopted. Howe­ver, com­pa­nies that trans­fer data to the US should alre­a­dy be awa­re of the imme­dia­te impact of the E.O. and adjust the risk assess­ment in their TIAs accordingly.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.