Executive Order on the EU-US Data Privacy Framework

News flash

Philipp Rosenauer
Partner Legal, PwC Switzerland

Anouk Geene
Associate | Data Privacy | ICT | Implementationᐩ , PwC Switzerland

On 7 October 2022, US President Joe Biden issued an eagerly awaited Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”, which is a prerequisite of the new EU-US Data Privacy Framework (EU-US DPF).

The previous EU-US Privacy Shield framework facilitating transatlantic data transfers was invalidated by the Court of Justice of the European Union in their Schrems II decision of July 2020. Of particular concern are the inconsistencies between the digital surveillance practices of the US national security agencies and their wide-ranging ability to access personal data, and the EU’s fundamental rights to privacy.

Back in March 2022, President von der Leyen and President Biden announced that they had reached an agreement in principle on a new framework that addresses the Court’s concerns. The new Executive Order implements this agreement in principle into US law.

What’s new?

Civil liberties safeguards and limits on US signals intelligence activities (digital surveillance) - the Executive Order imposes necessity and proportionality requirements, thereby limiting intelligence and surveillance activity to the pursuit of defined and legitimate national security objectives only. The implementation of an oversight mechanism to verify compliance is included in the Order, which will require the US Intelligence Community to update its current policies and practices.
Independent and binding two-layer redress mechanism – this mechanism will allow EU data subjects to lodge qualifying complaints with the incoming “Civil Liberties Protection Officer” (CLPO) if they feel their personal data was illegally collected and processed by the US agencies. The second layer of the redress mechanism gives individuals the possibility of appealing the CLPO’s decision before the newly created and independent “Data Protection Review Court” (DPRC).

Next steps for the EU

The EU-US DPF now awaits review by the European Commission and a legal opinion from the European Data Protection Board, which will assess whether the Order sufficiently addresses the gaps identified by Schrems II. The end goal would be the adoption of an adequacy decision robust enough to withstand any future legal scrutiny. However, this legislative process could take at least six months.

What does it mean for EU-US data flows?

Since the invalidation of the EU-US Privacy Shield, cross-border transfers have been in a burdensome and uncertain “legal limbo” subject to complex and costly Transfer Impact Assessments and Standard Contractual Clauses. The EU-US DPF therefore breaks new ground and is a first step in the right direction for providing much needed legal certainty to companies conducting cross-continental business. Nonetheless, until the publication of an adequacy decision, companies will have to continue relying on supplementary transfer tools.

What is the impact on Swiss-US data flows?

Following the invalidation of the EU-US Privacy Shield in 2020, the Swiss Federal Data Protection and Information Commissioner (FDPIC) followed suit and similarly held that the CH-US Privacy Shield did not provide for an adequate level of protection for transfers of data from Switzerland to the US. Similarly, whether the measures under the new EU-US DPF will help bridge those adequacy gaps and restore reliable and certain Swiss-US data transfers is something that will be up for debate soon.

Regardless, despite EU legislation not being binding on Switzerland (as a non-EU member), Swiss companies that process the personal data of EU citizens would be subject to the EU-US DPF. Keeping track of the upcoming legislative approval process is therefore of relevance to Swiss companies.