Data transfers: the US signed an Executive Order to comply with EU law

On October 7, 2022, the U.S. president issued an Executive Order1 aimed at lifting restrictions on the flow of personal data between the EU and the United States. It is the day after the anniversary of the Schrems ruling, issued on October 6, 2015 by the CJEU, that this act is adopted. Since this ruling, data exchanges with the United States are prohibited in theory, subject to the implementation of appropriate safeguards. The Privacy Shield, which was intended to address this problem, was a short term solution.

Safeguards introduced to limit the risks of EU-US transfers

With this Executive Order, the United States commits to adopting measures aimed at compensating for its legal shortcomings, which could affect the rights of individuals located in
the EU, in the event of the transfer of their data. The United States therefore announces the upcoming implementation of the following guarantees:

• Further safeguards for existing signals intelligence measures: They should be restricted to a national security objective, balanced with the rights and freedoms of individuals, and used only where necessary and proportionate.
• Generalized management of personal data: U.S. intelligence agencies are required to update their procedures and policies to reflect the new Executive Order’s measures.
• Strengthened control and compensation of individuals:
  
  • The Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence will handle complaints about violations of the Executive Order. His decisions will be binding on all intelligence services.
  • A Data Protection Review Court (DPRC) will be established to provide independent and binding review of the CLPO’s decisions. Judges will have to be independent of the US government, have expertise in personal data, and will not be removable.
  • The existing Privacy and Civil Liberties Oversight Board (PCLOB) will be responsible for reviewing the consistency of future procedures and policies adopted by the US intelligence Community.

Standard clauses and TIA still required

The Executive Order marks an important step towards further liberalisation of EU-US data flows. However, it does not yet permit free transfers to the US. For this, an adequacy decision
will still have to be adopted by the European Commission. Organisations should therefore continue to implement the standard contractual clauses (SCC) and conduct an analysis of the
U.S. laws (Transfer Impact Assessment - TIA). The US has responded to the shortcomings identified by the EU, which implies an update of the existing TIAs.

Expected developments

The EDPB had already announced that a detailed analysis of the Executive Order will be published, to gauge the level of adequacy. In the US, the Department of Justice has
confirmed the creation of a dedicated jurisdiction (the DPRC).

This act seems to provide a better framework for surveillance measures and the question of recourse/compensation for data subjects than what was established in the Safe Harbor and the Privacy Shield. They were invalidated because they did not lead to substantial changes in US law.

It is now up to the European Commission and probably soon the CJEU to judge the adequacy of the new measures.

1 Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities, The White House, 7 octobre 2022 (Data Privacy Framework)