On October 7, 2022, President Biden signed an executive order implementing the EU-U.S. Data Privacy Framework.   Announced in March, this framework replaces the Privacy Shield program that the EU Court of Justice invalidated in July 2020 with its Schrems II decision. That decision stated that the United States did not provide a level of data protection that was “essentially equivalent” to that provided within the EU because signal intelligence surveillance by U.S. agencies was considered too broad and EU residents were not provided with effective remedies.  

The new framework is intended to facilitate the cross-border transfer of personal information from the EU to the U.S. in compliance with the EU’s General Data Protection Regulation (GDPR).  The executive order specifically addresses the process by which the U.S. intelligence community handles the personal data of EU residents and responds to complaints from EU residents.  Detailing the commitments made in the March announcement, the executive order provides the basis for the EU to proceed with an “adequacy” decision under the GDPR regarding cross-border data transfers.  With these additional protections in place, it is expected that a revised cross-border transfer framework can be finalized in the next few months.

According to the White House Fact Sheet accompanying the March announcement, the new framework requires that U.S. intelligence agencies may only conduct data-gathering operations that are necessary to advance legitimate national security objectives, and which do not disproportionately impact individual privacy and civil liberty interests.   The independent Privacy and Civil Liberties Oversight Board is charged with reviewing the U.S. intelligence community’s implementation of the new principles and procedures, including the outcome of redress decisions, and conducting annual compliance reviews.

The revised framework establishes a multi-tiered process by which EU residents can seek redress for alleged violations, replacing the government “ombudsperson” process rejected as inadequate by the EU court.  As a first step, EU residents can lodge complaints with the Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence, who will perform an initial investigation and make binding decisions.  As a second level of review, the U.S. Department of Justice will establish an independent Data Protection Review Court comprised of independent judges who will review the CLPO’s decisions and “have full authority to adjudicate claims and direct remedial measures as needed.”   EU residents may file complaints via “special advocates” to represent their interests.

More than 5,300 companies participated in the Privacy Shield program before it was invalidated. Further, the decision invalidating Privacy Shield raised concerns about the adequacy of alternative data transfer mechanisms, including standard contractual clauses and binding corporate rules.  The safeguards and provisions contained in the March announcement and October 7 executive order would also apply to data transferred under these alternative mechanisms.

The next step is for the EU to conduct a determination as to whether the U.S. commitments meet GDPR’s “adequacy” standard for the transfer of personal data, a process anticipated to take about six months.  Once ratified by the European Commission, participation in the revised framework will require that companies self-certify their adherence with the U.S. Department of Commerce.  Although any adequacy determination is likely to be challenged in the EU courts, the new framework will create much greater certainty for the many organizations that depend on cross-border data flows to drive the trillions of dollars in annual cross-border commerce. 

Crowell and Moring will continue to follow developments on these issues and provide ongoing updates.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Maarten Stassen Maarten Stassen

Maarten Stassen is a partner in the Brussels office of Crowell & Moring, where he is a member of the firm’s Privacy & Cybersecurity Group. His practice focuses on privacy and data protection, including the General Data Protection Regulation (GDPR) and cross-border data…

Maarten Stassen is a partner in the Brussels office of Crowell & Moring, where he is a member of the firm’s Privacy & Cybersecurity Group. His practice focuses on privacy and data protection, including the General Data Protection Regulation (GDPR) and cross-border data transfers solutions, as well as on the legal and operational aspects of the digital ecosystem, including Internet of Things (IoT), MedTech, and upcoming technologies such as Distributed Ledger Technology (e.g. Blockchain).

Before joining Crowell & Moring, Maarten was a director in Deloitte’s Cyber practice, as well as the Faculty Leader of the European Privacy Academy. He has been focusing on privacy and data protection law for many years, first as a lawyer in both Spain and Belgium, and later as European Privacy Officer of an international health insurance company.

Photo of Christiana State Christiana State

Christiana State (CIPP/US, CIPP/E) is a senior counsel in Crowell & Moring’s San Francisco office and a member of the firm’s Corporate and Privacy & Cybersecurity groups. Christiana focuses her practice on counseling clients on technology and privacy matters. Christiana leverages a combination…

Christiana State (CIPP/US, CIPP/E) is a senior counsel in Crowell & Moring’s San Francisco office and a member of the firm’s Corporate and Privacy & Cybersecurity groups. Christiana focuses her practice on counseling clients on technology and privacy matters. Christiana leverages a combination of in-house counsel experience and electrical engineering training to guide emerging technology companies through transformational growth stages. Christiana represents technology companies, from start-ups to multinational corporations, in various industry segments, such as: AI/ML, cloud services, biometrics, semiconductors and computing architectures, gaming, AR/VR, drones, and EV charging.

Christiana brings a pragmatic and business-focused approach to her representations. Prior to Crowell, she spent over a decade serving as in-house counsel for various technology companies in Silicon Valley. In those roles, Christiana led cross-functional teams while managing global technology and intellectual property deals, product launches and related regulatory matters, and intellectual property strategies.

Photo of Wietse Vanpoucke Wietse Vanpoucke

Wietse Vanpoucke is an associate at Crowell & Moring’s Brussels office and a member of the Intellectual Property Group. He focuses predominantly on the life sciences industry and has a particular interest in digital health. Clients ranging from innovative start-up ventures to multinational…

Wietse Vanpoucke is an associate at Crowell & Moring’s Brussels office and a member of the Intellectual Property Group. He focuses predominantly on the life sciences industry and has a particular interest in digital health. Clients ranging from innovative start-up ventures to multinational corporations rely on Wietse for advice regarding European regulatory affairs, and on all aspects of IP and IT law. Wietse also has a keen interest in emerging technologies, such as artificial intelligence, blockchain, and the internet of (medical) things, and he closely monitors legal developments that affect the use of these technologies.