A new legal mechanism enabling the transfer of personal data between the EU and the US has been underway since October 7th.th, 2022 Executive Order issued by U.S. President Biden (“Executive Order”). The new mechanism is called the EU-US Data Privacy Framework (“Framework”) and is intended to replace the now-defunct EU-US Privacy Shield mechanism. Specifically, the Executive Order provides data protections that enable the potential creation of a framework. Joint press conference in March 2022: There have been similar developments with comparable data transfer agreements between the UK and US governments. This framework, if realized and implemented, could lower legal barriers to personal data transfers between the EU and the UK and the US.
Background
The European Union General Data Protection Regulation (“EU GDPR”) and the United Kingdom General Data Protection Regulation (“UK GDPR” and together with the EU GDPR, the “GDPR”) impose restrictions on the transfer of personal data to certain countries outside the European Economic Area. We have limits. Territory (“EEA”) and United Kingdom.
“Adequacy decisions” by the European Commission and equivalents by the UK government are important mechanisms that businesses rely on to comply with these GDPR restrictions. Specifically, the “positive” “decision on adequacy” made by the European Commission: again All transfers to the relevant country, or transfers to the relevant country under certain pre-approved data transfer mechanisms, shall be deemed to satisfy such GDPR restrictions. For example, the European Commission’s “positive” “adequacy finding” for the EU-US Privacy Shield allows EEA-based businesses to comply with the GDPR by establishing a US presence that is accredited for the Privacy Shield program. You have been permitted to transfer your personal data to the company that puts it. However, the Privacy Shield “adequacy decision” was revoked in 2020 by the Supreme Court of the European Union, the Court of Justice of the European Union (“CJEU”). Schrems II decision: This decision required companies that relied on the Privacy Shield to use alternative data transfer mechanisms to comply with the EU GDPR.
The UK still has its own version of the EU GDPR. So the UK’s GDPR, which came into force after leaving the EU, and case law, Schrems II Decisions made before ‘Brexit’ still apply to the UK. So, despite Brexit, we continue to experience similar problems to those outlined above with respect to data flows from the UK to the US.
Scope of Executive Order
In light of Schrems II decision, and in order to enable the creation of frameworks, with the presidential decree two important goals should be achieved:
- It imposes restrictions on access by the US government to data transferred from certain foreign jurisdictions (including the EEA and the UK). Specifically, the executive order provides binding safeguards that limit access to data by U.S. intelligence agencies that are necessary and appropriate to protect national security. Allegations of large-scale access by the U.S. government to EEA-derived personal data transferred under the Privacy Shield mechanism were a major concern of the CJEU. Schrems II; and
- We provide improved legal remedies for individuals residing in such jurisdictions who claim their privacy rights have been violated. Specifically, the executive order establishes an independent and impartial remedy process, including a new Data Protection Review Court (“DPRC”) to investigate and resolve complaints about access to data by U.S. national security agencies. To do. The remediation process involves civil liberties officers from the Office of the Director of National Intelligence (“CLPO”) conducting an initial investigation of complaints received to determine whether the enhanced safeguards of the Executive Order or other applicable U.S. laws have been violated. Start by determining if you are not. Importantly, the outcome of this process is binding on US intelligence agencies.
Framework next steps
The framework is unlikely to be ready for use by enterprises before the end of this year. This will be followed by a potentially protracted and uncertain government and the legislative process by the European Commission and the UK Government, with reference to the new data protections granted by Executive Order, which will first result in a separate ‘adequacy decision’.
However, the European Commission and the UK government have welcomed the Executive Order of The European Commission (FAQ), issued in response to the presidential decree, and called the measures of the presidential decree a “significant improvement”. The UK government has also welcomed the issuance of an executive order that said it would “strengthen safeguards for UK data processed by US authorities and establish new remedies”.
Once an Adequacy Decision is issued by the European Commission and the UK Government, US companies can seek certification by the US Department of Commerce under the Framework. U.S. businesses can become certified to the Framework by committing to comply with a detailed set of privacy obligations. The details of these obligations have not yet been clarified, but are expected to include certain key GDPR principles such as data minimization, purpose limitation, and certain data subject rights.
