Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • D A T Green
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Tony Curzon-Price
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina James
    • Maria Constantin
    • Sophia Yakhno
    • Rachael Machado
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

New EU-US Data Privacy Framework

October 14, 2022By Preiskel & Co

President Biden signed an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” (“Executive Order”) on 7 October 2022. In conjunction with the regulations issued by the US Attorney General to establish a Data Protection Review Court (“DPRC”), the Executive Order implements into US law the agreement in principle revealed by President Biden and President von der Leyen in March of 2022 on a new EU-US Data Privacy Framework.

The Executive Order introduces new binding safeguards to address all the points raised by the Court of Justice of the EU (“CJEU”), limiting access to EU data by US intelligence services and creating the new DPRC. The European Commission is consequently now in a position to prepare a draft adequacy decision, as well as introduce its adoption process.

Impact on transatlantic transfers of EU personal data

For Europeans whose personal data is transferred to the US, the new Executive Order and the accompanying regulations provide the legal framework for:

  • Binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security; and
  • The establishment of an independent and impartial remedy mechanism, which includes the new DPRC to investigate and resolve complaints regarding access to their data by US national security authorities.

Th Executive Order also requires US intelligence agencies to review their policies and procedures to implement these new safeguards. These are significant improvements compared to the Privacy Shield which the CJEU declared as an invalid transfer mechanism under EU law following the so-called Schrems II decision of July 2020.

Role of the new DPRC

In order to be in keeping with EU data privacy standards and to add further safeguards, the new DPRC will independently review determinations made by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (“ODNI CLPO”) in response to qualifying complaints sent by individuals through appropriate public authorities that allege certain violations of US law in the conduct of US signals intelligence activities.

Amongst other enhancements, these new safeguards will include:

  • Requiring that such signals intelligence activities be conducted only in pursuit of well-defined national security objectives;
  • Taking into consideration the privacy and civil liberties of all individuals, regardless of nationality or country of residence; and be conducted only when necessary to advance e a validated intelligence priority and only to the extent and in a manner proportionate to that priority;
  • Requiring US Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the Executive Order;
  • Creating a multi-layer mechanism for individuals from qualifying states and regional economic integration organisations, as designated pursuant to the Executive Order, to obtain independent and binding review and redress of claims that their personal information collected through US signals intelligence was collected or handled by the US in violation of applicable US law, including the enhanced safeguards in the Executive Order; and
  • Calling on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order and to carry out an annual review.

The above safeguards will enable the European Commission to imminently adopt a new adequacy determination, which will reintroduce a simple and effective transatlantic data transfer mechanism under UE law. It will also afford a greater level of legal certainty for organisations using Standard Contractual Clauses[1] (the “SCCs”) and Binding Corporate Rules[2] (“BCR”) to transfer EU personal data to the US.

Approval of new US Data Privacy Framework at UK and EU level

Despite the Executive Order having immediate effect, the UK and the EU are expected to take some time to approve the new US Data Privacy Framework under their respective legal systems. Until such time as the new framework is implemented at UK and EU level and these jurisdictions are in turn deemed as qualifying under the redress mechanism in the US, data exporters will need to continue carrying out transfer risk assessments in addition to using SCCs and BCR. This will include factoring in the Executive Order itself in the analysis and taking into consideration whether additional technical, contractual, or organisational measures are required.

This is a developing piece of legislation with a multitude of ramifications for transatlantic transfers of personal data. We will be monitoring it closely and updating our blog accordingly.

Related articles

See more on the Schrems II decision here.

Find the Executive Order here, the Executive Order Q&As here and the EU Justice announcement here.

Please contact Jose Saras and Xavier Prida if you have any questions about international data transfers.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

 

[1] According to the EU General Data Protection Regulation (GDPR), contractual clauses ensuring data protection safeguards can be used as a ground for data transfers from the EU to so-called third countries. This includes model contract clauses that have been “pre-approved” by the European Commission.

[2] Binding Corporate Rules are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for international data transfers.

Latest Preiskel & Co blog posts
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets
    March 22, 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape
    March 22, 2023
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill
    March 17, 2023
  • Stormy weather for cloud computing in the EU
    March 16, 2023
  • Inmarsat Takeover Provisionally Cleared for Take-Off
    March 10, 2023
  • EDPB’s Feedback on the New EU-U.S. Data Privacy Framework
    March 6, 2023
  • UK Data Reform Bill to return to the House of Commons
    March 3, 2023
  • DCMS Publishes New Security and Privacy Principles for App Store Operators and Developers
    February 16, 2023
  • DPO’s Dismissal & Conflicts of Interest Under The EU GDPR – CJEU Ruling
    February 14, 2023
  • ICO – Change of Deadline for Reporting Breach Notifications for Communication Service Providers
    February 6, 2023
  • General EU Requirements for Cookie Banners – EDPB Task Force Report
    January 27, 2023
  • Ofcom Launches Investigation into BT Following Suspected Breaches of Consumer Protections Post Implementation of EECC
    January 27, 2023

The Preiskel Blog

  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets 22 Mar 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape 22 Mar 2023
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill 17 Mar 2023
  • Stormy weather for cloud computing in the EU 16 Mar 2023

Preiskel news

  • Senior Partner, Danny Preiskel, quoted by IT Pro on the costs incurred by MNOs
  • Senior Partner, Danny Preiskel, will be a panellist at GCCM Carrier Community 2023 on IOT
  • Jose Saras and Xavier Prida Awarded First Place as Data Protection Thought Leaders in the UK
  • Ronnie Preiskel chosen to judge 24 May 2023 The Tech Capital Global Awards
Preiskel tweets
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill. Find out more: https://t.co/3BHP1xq69Y4 days ago
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets. Find o… https://t.co/S7J7sX3kfs4 days ago
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape. Find out more at: https://t.co/JN5P4COQ4f4 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy