In July 2020, the Court of Justice of the European Union (CJEU) declared the EU-U.S. Privacy Shield invalid. The EU-U.S. Privacy Shield program was designed to provide European Economic Area (EEA) data transferred to the U.S. with a level of protection comparable to EU law. The CJEU invalidated the program stating that U.S. companies could not provide an essentially equivalent level of protection based on the breadth of U.S. national security surveillance laws, FISA 702, E.O. 12.333, and PPD 28. In the wake of the decision, businesses relying on the EU-U.S. Privacy Shield as an adequate transfer mechanism to perform routine activities such as sending employee data from the EEA to U.S. headquarters for HR administration, accessing a global HR database from the U.S., remotely accessing EEA user accounts from the U.S. for IT services, providing EEA data to third party vendors for processing in the U.S., or relying on certain cloud-based services were forced to rely on alternate mechanisms including standard contractual clauses.
On October 7, 2022, President Biden signed an Executive Order that outlines steps the U.S. government will take to implement a new EU-U.S. data privacy framework, the Trans-Atlantic Data Privacy Framework, to replace the invalidated EU-U.S. Privacy Shield.
The new Framework is designed to restore a legal basis for transatlantic data flows and addresses concerns raised in the CJEU decision by strengthening privacy and civil liberties protections for foreign individuals and creating an independent and binding process for non-U.S. citizens to seek redress if they believe their personal data was improperly collected through U.S. signals intelligence. Signals intelligence activities involve collecting foreign intelligence from communications and information systems.
The Executive Order is the first step toward rebuilding the EU-U.S. data protection program. Over the next few months, the EU Commission will review the framework and if satisfied with the proposed safeguards and protections for EU data and individuals, issue an “adequacy decision” that concludes data transferred to the U.S. will receive an essentially equivalent level of protection. While legal challenges to this new framework are anticipated, the Executive Order demonstrates a U.S. commitment to addressing EU concerns regarding data protection. It also provides an incentive to U.S. organizations to maintain their EU-US Privacy Shield certification in hopes it can be leveraged under the new framework.