Biden Order Fleshes Out New US-EU Privacy Framework
President Joe Biden has signed an executive order outlining US commitments to safeguarding personal data in transfers between the States and the EU. The rules slot into the new Privacy Framework agreed in principle in March this year, intended to replace the fallen Privacy Shield arrangement.
The Trans-Atlantic Data Privacy Framework is supposed to address concerns which led to its predecessor being struck down by the Court of Justice of the European Union (CJEU) in the Schrems II decision of July 2020. Concerns centred around the powers given to US agencies to carry out bulk surveillance, with limited rights of redress under US law. The March framework envisaged that details of US promises on safeguarding of data would be published in an Executive Order and would form the basis of a future 'adequacy decision' by the European Commission. Post-Brexit a separate UK agreement, the international data transfer agreement (IDTA), is still in draft form.
The Executive Order binds US surveillance agencies to limit their access to incoming data to information that is necessary and proportionate to protect national security - specifically work 'in pursuit of defined national security objectives', including assessment of foreign military capabilities, understanding threats affecting global security, and protecting against terrorism. It also establishes a new two-tier independent redress mechanism to investigate and resolve complaints, where the data concerned comes from designated countries, which will include the EU and UK.
While the European Commission has already said it believes the new safeguards address the problems identified by the ECJ in Schrems II, Austrian lawyer and privacy activist Max Schrems has https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-law suggested that differing interpretations of 'necessary' and 'proportionate' are likely to scupper it - although he is spending 'a couple of days' investigating the documents in detail.
The UK Government has said it will aim to complete its assessment 'in weeks ahead', while the EC says initial consideration, publication of a draft adequacy decision and consultation with the EDPB and member states will between them take around six months.
Our thanks to www.lexology.com for input on legal issues here.