EU-U.S. Data Transfers – what is going on?


On the 25th March 2022, the data privacy world was abuzz with the news that an agreement in principle had been reached between the United States and the European Commission on a new Trans-Atlantic Data Privacy Framework. Developments since then were few and far in between, leading many to question the efficacy of the steps being taken to foster data flows across the Atlantic after the 2020 Schrems II decision by the Court of Justice of the European Union (‘CJEU’) which invalidated the Privacy Shield agreement in place at the time.


But the gears are now back in motion. On the 7th October 2022, President Biden signed an executive order implementing the long awaited framework. The Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (hereinafter referred to as the ‘E.O.’), as the name implies, particularly addresses the issues raised in Schrems II around access to the personal data of EU based data subjects for U.S. signals intelligence activities.


In this regard, the E.O establishes that these activities should be conducted only in pursuit of defined national security objectives and only when necessary to advance a validated intelligence priority. Effectively, and at face value, these new safeguards seem to be simply ensuring that the basic principles of data privacy under the GDPR (and the majority of global data protection legislation), particularly, the purpose limitation principle and the principle of lawfulness, fairness and transparency, are complied with by the U.S. Intelligence Community. The application of the concept of necessity and proportionality is also evident in the E.O., with emphasis being made on limiting collection of personal data based on a targeted and validated intelligence priority. Bulk collection is subject to specific limitations and to authorisation based on a determination of necessity.


The E.O. also mandates a number of rules applicable to the ‘handling’ of the personal data in question, including the obligation on the U.S. Intelligence Community to establish and apply procedures and policies regulating the retention and dissemination of personal data collected through signals intelligence activities. This record-keeping obligation also extends to other oversight functions, and is in conformity with the data accuracy principle, with the ultimate aim being that of ensuring data quality.

Of most relevance to data subjects is the creation of a multi-layer mechanism for the data subjects to obtain independent and binding review and redress of their claims that their data was processed by the U.S. Intelligence Community in breach of applicable U.S. law, including the safeguards set out within the E.O. itself.  As a first layer, the mechanism establishes the undertaking of an initial investigation by the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (‘CLPO’), of qualifying complaints made on the basis that the E.O.’s enhanced safeguards were violated. Any decision taken by the CLPO is binding on the U.S. Intelligence Community, subject to the second layer of the mechanism, being the establishment of the Data Protection Review Court (‘DPRC’).


Attorney General Merrick Garland signed a new regulation establishing the DPRC on the 7th October 2022, setting out the role of DPRC to provide independent and binding review of the decisions of the CLPO. In order to ensure autonomy, the DPRC will be composed of judges enjoying protections against removal, which judges will be appointed from outside the U.S. Government, and most importantly, have expertise in the fields of national security and privacy. The DPRC will be in a position to not only assess where there was a violation of application U.S. law, but also decide on what remediation is to be implemented. Any decisions adopted by the DPRC are binding. The redress process and the implementation of policies and procedures of the U.S. Intelligence Community is subject to the review of the Privacy and Civil Liberties Oversight Board.


So what is next? Besides the signature of the E.O. by President Biden and the signature of new regulations on the DPRC by the U.S. Attorney General, the U.S. Secretary of Commerce has stated that a series of letters from relevant U.S. government agencies, as well as documents outlining the operation and enforcement of the EU-US Trans-Atlantic Data Privacy Framework, will be communicated to the European Commissioner for Justice. On the basis of these changes, the European Commission will be able to initiate its assessment and prepare its draft adequacy decision.


This does not mean that we will be seeing the EU-US Trans-Atlantic Data Privacy Framework in its final version any time soon. The adoption procedure for an adequacy decision is convoluted and lengthy – the proposed adequacy decision would be subject to the scrutiny of the European Data Protection Board as well as the European Parliament, before even making it to the final stage of adoption by the European Commission.


The NGO founded by Max Schrems, noyb, has, in a first reaction, stated that the E.O. is unlikely to satisfy EU law and this on the basis that it does not appear that U.S. mass surveillance will change, in practice, and that the redress offered by the DPRC, as an executive body, would not amount to judicial redress. The European Commission has made it clear that it does not believe that the new EU-US Trans-Atlantic Data Privacy Framework will be struck down by the CJEU, stating that the objective of the lengthy negotiations with the U.S. was purely to ensure that all concerns raised in Schrems II are adequately addressed.


In the meantime, EU-US data transfers, whilst not illegal, continue to be ‘difficult’, particularly in light of the various decisions taken by supervisory authorities since the Privacy Shield was invalidated. With the signing and coming into force of the E.O, however, controllers and processors involved in data transfers across the Atlantic can look to the provisions of the E.O. and consider the same in their risk-based assessment on the use of standard contractual clauses and the application, if at all, of the supplementary measures to that data transfer.


The adoption procedure could take up to six months, meaning that unless it is finalised earlier, we could be seeing the EU-US Data Privacy Framework in its final version by March 2023. Till then, we wait.


For any queries or further information, contact Sarah Cannataci on