A new legal mechanism to allow for transfers of personal data between the EU and the U.S. is now advancing after an October 7th, 2022 Executive Order was issued by U.S. President Biden (the “Executive Order”). The new mechanism is referred to as the EU-U.S. Data Privacy Framework (the “Framework”) and is intended to replace the now-defunct EU-U.S. Privacy Shield mechanism. Specifically, the Executive Order provides data protections that enables the potential creation of the Framework, which first debuted in a joint press conference in March 2022. Similar progress has also been made on an equivalent data transfer arrangement between the UK and U.S. governments. If realized and implemented, the Framework has the potential to lower legal barriers for personal data transfers between the EU and the UK, and the U.S.

Background

The EU General Data Protection Regulation (“EU GDPR”) and the UK General Data Protection Regulation (“UK GDPR” and collectively with the EU GDPR, the “GDPR”) places restrictions on personal data transfers to certain countries outside of the European Economic Area (“EEA”) and the UK.

An “adequacy decision” from the European Commission and comparable certification by the UK government are key mechanisms companies rely upon to comply with these GDPR restrictions. Specifically, “positive” “adequacy decisions” made by the European Commission can deem that either all data transfers to the relevant country, or transfers made under certain pre-approved data transfer mechanisms to the relevant country, are deemed to satisfy such GDPR restrictions. To illustrate, the European Commission’s “positive” “adequacy decision” for the EU-U.S. Privacy Shield allowed EEA-based companies to transfer – in compliance with the GDPR – personal data to U.S. based companies that had certified to the Privacy Shield program. However, the Privacy Shield “adequacy decision” was invalidated by the EU’s highest court – the Court of Justice of the European Union (the “CJEU”) – in 2020 in the Schrems II decision. In turn, since the Schrems II decision, companies that had relied on the Privacy Shield have had to use alternate data transfer mechanisms to comply with the EU GDPR.

The UK still has its own version of the EU GDPR – namely, the UK GDPR in place following its exit from the EU; and case law, such as the Schrems II decision issued before “Brexit” continue apply to the UK. Therefore, and despite Brexit, similar issues have continued to be experienced with respect to data flows from the UK to the U.S. to those outlined above.

The Scope of the Executive Order

In light of the Schrems II decision, the Executive Order seeks to accomplish two key objectives to allow for the creation of the Framework:

  • impose restrictions on access by the U.S. government to data transferred from certain overseas jurisdictions (including from the EEA and the UK). Specifically, the Executive Order provides binding safeguards that limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security. Alleged extensive U.S. government access to EEA-originating personal data transferred under the Privacy Shield mechanism was a chief concern of the CJEU in Schrems II; and
  • provide for improved legal redress for individuals resident in such jurisdictions who claim that their privacy rights have been infringed. Specifically, the Executive Order establishes an independent and impartial redress process, which includes a new Data Protection Review Court (“DPRC”) to investigate and resolve complaints regarding access to their data by U.S. national security authorities. The redress process will start with the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (“CLPO”) conducting an initial investigation of complaints received to determine whether the Executive Order’s enhanced safeguards or other applicable U.S. law were violated. Importantly, the results of this process will be binding on the U.S. Intelligence agencies.

Next Steps for the Framework

The Framework is not likely to be available for use by companies before the end of this year. This is because separate “adequacy decisions” will first need to be issued – following potentially protracted and uncertain governmental and legislative processes – by the European Commission and the UK government by reference to the new data protections afforded by the Executive Order; however, both the Commission and the UK government have welcomed the Executive Order. In FAQ’s released in response to the Executive Order, the European Commission called the measures in the Executive Order “significant improvements”. The UK Government has also welcomed the publication of the Executive Order saying that it “strengthens the safeguards and establishes new redress routes for UK data processed by US authorities”.

Once “adequacy decisions” are issued by the European Commission and UK government, US companies can seek to be certified by the U.S. Department of Commerce under the Framework. US companies will be able to certify to the Framework by committing to comply with a detailed set of privacy obligations. While those obligations are not yet detailed, we expect that certain core GDPR principles will be among them, such as data minimization, purpose limitation, and certain data subject rights.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ryan P. Blaney Ryan P. Blaney

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a…

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a range of matters, including health care fraud and abuse, third party reimbursement, data breach issues, data privacy and security, and FDA regulatory matters. He has substantial experience in pharmaceutical lifecycle management and competition issues, including the Hatch- Waxman Act and Biosimilars Price Competition and Innovations Act.

Ryan serves information technology companies, public and private health care companies, hospitals and physician organizations, manufacturers, medical device companies, and health plans. He guides venture capital groups, private equity funds, investment banks, and other investors on health care regulatory issues in connection with financing, mergers and acquisitions, and restructuring.

Ryan’s work is greatly informed by his experience as a teacher. Prior to attending law school, Ryan earned a master’s degree in education and taught at an under-resourced Catholic middle school. He is known for his ability to communicate clearly and to coordinate large teams working on complex matters. Outside of his health law practice, Ryan has been repeatedly recognized for his public service and pro bono work. He has successfully handled numerous education-related cases, helped establish three nonprofit organizations and defended qualified recipients of disability benefits.

Photo of Kelly McMullon Kelly McMullon

Kelly M. McMullon is special international labor, employment & data protection counsel in the Labor & Employment Law Department and member of the Firm’s International Labor & Employment, Privacy & Cybersecurity and Sports Groups. Kelly has been recommended in Legal 500 UK for…

Kelly M. McMullon is special international labor, employment & data protection counsel in the Labor & Employment Law Department and member of the Firm’s International Labor & Employment, Privacy & Cybersecurity and Sports Groups. Kelly has been recommended in Legal 500 UK for her “responsiveness and practicality.”

Kelly assists clients in a variety of sectors including financial services, asset management, life sciences, fintech, consultancy, retail, sports, leisure and manufacturing in a wide range of contentious and non-contentious matters.

In her employment practice, she provides general day-to-day counselling and advice on all employment-related issues, including hires, terminations, grievances and redundancies, as well as the employment aspects of transactions.

In her data protection practice, Kelly provides strategic advice as well as practical support and guidance on all aspects of data protection compliance, including international transfers of personal data, data breaches, direct marketing and employee data protection concerns. She also provides advice on the data protection aspects of transactions.

Kelly also has experience working with businesses on CSR and ESG initiatives, human rights and modern slavery issues.

Kelly is a contributor to Proskauer’s International Labor and Employment Law and Proskauer on Privacy blogs and is the Editor for Proskauer on Privacy’s “International Data Privacy” chapter. She regularly provides training and speaks on employment and data protection issues.

Her pro bono experience includes counselling not-for-profit organizations on data privacy and employment-related issues.