Important milestone reached: Biden signs executive order to protect US and EU data transfers

The dark side of the internet does not just refer to the dark web, fraud, hacking, malware and spam. It also alludes to the unlawful collection or storage of data. Regulators are clamping down on this through the likes of the General Data Protection Regulation (GDPR), Personal Information Protection and Electronic Documents Act (PIPEDA), Personal Data Protection Commission (PDPC) and many more regulations across the globe…

Then we have the US, a country with a complex tapestry of data provisions. Of course, on a cross-border basis, the US previously used the Data Protection Shield (DPS) – a legal framework that regulated transatlantic exchanges of personal data between the US and the European Union (EU). Many US businesses relied on this to transfer data legally across the Atlantic.

However, in July 2020, the European Court of Justice overturned this very privacy shield and ruled that it did not sufficiently protect EU data when it is transferred to the US. It was also found that some transatlantic programmes did not have adequate measures for how the government controlled the data – this was also known as Schrems 2.

Since Schrems 2, there have been discussions between the US and EU on how to overcome data concerns. In a letter, the ex-Deputy Assistant of Commerce Security said that Schrems 2 “created enormous uncertainty about the ability of companies to transfer personal data from the European Union to the United States in a manner consistent with EU law.” The conclusion was that the US was required to use “EU-approved data transfer mechanisms.”

In a bid to close the data protection gaps, on 7 October 2022, President Biden signed an executive order on a data privacy framework to allow firms to obtain and store personal data without violating GDPR. This marks the first step in implementing the commitments made by the US in an agreement announced back in March 2022.

Here’s what you need to know

The executive order will enforce significant modifications to the current US privacy framework. It provides for:

• Binding safeguards that restrict access to data by US intelligence authorities.
• The establishment of an independent mechanism, including a new Data Protection Review Court (DPRC) to investigate and resolve complaints.

Biden stated that “transatlantic data flows are critical to enabling the $7.1 trillion EU-US economic relationship. The EU-US DPF will restore an important legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union raised in striking down the prior EU-US Privacy Shield Framework as a valid data transfer mechanism under EU law.”

As part of a transatlantic data-sharing agreement with the EU, under the data privacy agreement, the US would be granted restricted access to European citizens’ personal data. As well as this:

• The US Department of Justice will create a new body that will regulate how American security agencies can obtain and store data from European and US citizens. This is to oversee and look into any breaches of privacy rights.
• Individuals will be able to file lawsuits when they believe data is being used unlawfully.
• US intelligence agencies will only be entitled to collect data for defined security objectives and only when necessary and respectful of privacy. They will also be required to update all policies to reflect the new guidelines.

The EU-US Data Privacy Framework aims to provide a greater level of legal certainty through organisations being more transparent with how they collect and use data. It also looks to address any cases of non-compliance to ensure firms are acting accordingly.

The EU will be required to start the steps in approving the EU-US Data Privacy Framework, which could take roughly 6 months – taking us to March 2023. After this, the European Commission as well as other EU countries will be required to implement the changes to its own regulations.

Some have speculated that the EU-US Data Privacy Framework does not adequately address the concerns brought up during Schrems 2. In a recent briefing, one of the officials said, “we do expect there’s a decent chance somebody may try to challenge this in Europe, and I think what the courts will see is that we have really put forward a framework that is fundamentally different from what was in place before.” Only time will tell if this is the case and whether the EU has any more concerns it would like to voice.

To read the full Executive Order, please click here.

What does this mean for firms?

Once the Executive Order has been approved, it will be time to roll it out to US companies that will need to comply with a set of data privacy regulations. But in the meantime, firms should ensure their current activities are GDPR-compliant which will, in turn, enable a greater level of operational effectiveness.

The big tech firms in the US such as Meta are welcoming the measure. With Meta’s President of Global Affairs, Nick Clegg, tweeting:

The UK and US have also delivered a joint statement in which the UK welcomes the Executive Order. The nations “recognise the strategic advantage of technology as crucial for securing our prosperity and security.”

Within the statement, the UK has said it “intends to work expediently to conclude its assessment, with the aim of issuing an adequacy decision that will restore a stable and reliable mechanism for the US-UK data flows. The United States intends to work to designate the UK as a qualifying state under the Executive Order, assuming the conditions for such designation can be satisfied, which could enable UK individuals who submit qualifying complaints to access the redress mechanism established under the Executive Order.”

CUBE comment

Private data regulation is a topic where a great deal of thought is required. A person’s online data footprint can be used for unlawful purposes, and so, we welcome regulation to prevent this. The US is gearing up to have new data regulations in place to move data securely and safely whilst protecting customers.

Being operationally resilient is important so that firms can prevent, adapt, respond to, recover and learn from any operational disruptions. In this case, by implementing the new data laws within your own frameworks, firms can operate as usual by adapting to new regulations.

The US-EU data regulation changes are a step in the right direction. There has already been some backlash, such as that from the European consumer group, BEUC, which stated that the new framework “is likely still insufficient to protect Europeans’ privacy and personal data when it crosses the Atlantic” as “there are no substantial improvements to address issues related to the commercial use of personal data, an area where the previous agreement…fell short of GDPR requirements.”

This leads to the question – do the new proposed laws go far enough in protecting citizens and their privacy? And where do we go from here? Either way, firms will need to keep on top of this fast-moving area of regulatory change and remain compliant throughout.

If you are worried about the upcoming data regulations, please get in touch.