For Europeans whose personal data is transferred to the U.S., new binding safeguards are in order with the signing of a new Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ on October 7th, 2022. These binding safeguards address all the points raised by the Court of Justice of the EU, protecting EU data from unrestricted access by United States intelligence services. The associated changes include the establishment of a Data Protection Review Court. As the European Commission embarks on the preparation of its draft adequacy decision, as well as the launch of its adoption procedure, the organization has released a clarifying statement on this new EU-U.S Data Privacy Framework.
The Executive Order and the accompanying Regulations, implement the commitments made by the US in the agreement in principle announced in March 2022.
This Executive Order will implement binding safeguards that limit access to data by US intelligence authorities to only what is considered necessary and proportionate to protect national security. In addition, an independent and impartial redress mechanism will be established, which includes a new Data Protection Review Court (‘DPRC’), for the purpose of investigating and resolving complaints regarding access to EU data by US national security authorities. The Executive Order requires US intelligence agencies to review their policies and procedures in order to implement these new safeguards.
With the adoption of the Executive Order and the accompanying Regulations, the Commission can now propose a draft adequacy decision and launch its adoption procedure.
There are various steps to the adoption procedure for an adequacy decision. This includes obtaining an opinion from the EDPB and approval from a committee composed of representatives of the EU Member States. The European Parliament also has a right to scrutinize adequacy decisions. Only after all of this, can the European Commission adopt the final adequacy decision in relation to the US. Once this is accomplished however, data will be able to flow freely and safely between the EU and US companies certified by the Department of Commerce under the new framework. US companies will then be able to join the framework by committing to comply with a detailed set of privacy obligations. In the meantime, it is important for companies to note that an adequacy decision is not the only tool for international transfers. Companies can introduce Standard Contractual Clauses (SCCs) in their commercial contract after performing a Data Transfer Impact Assessment and implementing any necessary supplementary measures. SCCs are the most used mechanism to transfer data from the EU.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.