Is the U.S. executive order the solution to data transfer?

The President of the United States has adopted the executive order to create the EU-US Data Privacy Framework, but is this the solution to the transfer of personal data out of the EEA?

The big news is that President Biden signed the executive order from which the European Commission’s adequacy decision on the transfer of personal data from the European Union to the United States might follow.

Below is our analysis of the situation and the possible consequences:

What does the U.S. executive order provide on the framework for data transfer?

The main contents of the executive order:

1. adds safeguards for U.S. intelligence activities. In particular, the executive order recalls the principles of necessity and proportionality also provided for in the GDPR

📌 It will be decisive to understand whether these principles will be applied by the U.S. government according to the same interpretation as provided by the European Privacy Regulation to avoid the critical issues challenged by the European Court of Justice in the Schrems 2 ruling will remain.

2. imposes requirements on processing for personal data collected through intelligence activities

📌 We will need to understand whether U.S. companies must comply with the same principles under the GDPR regarding data transferred from the European Union (e.g., the legal basis of processing and lawfulness of processing).

3. requires U.S. intelligence to update its policies and procedures to reflect the new privacy and civil liberties safeguards contained in the executive order

📌 This obligation is a consequence of the above measures. It should be kept in mind, however, that the executive order is not a law provision; therefore, a subsequent U.S. president could quickly rescind the order.

4. creates a multi-tiered mechanism for individuals to obtain an independent and binding review and damages in the event of claims that their personal data collected by U.S. intelligence has been processed in violation of applicable U.S. law as outlined below:

First level, the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO).
Second level, the Data Protection Review Tribunal (“DPRC”).

📌 This provision will also be decisive in assessing the adequacy of the U.S. regulations as it will have to be understood whether it will indeed be an independent court or has the same critical issues as the Ombudsperson envisaged by the Privacy Shield.

5. calls on the Privacy and Civil Liberties Oversight Board to review the Intelligence Community’s policies and procedures to ensure that they are consistent with the executive order.

📌 The same assessments as in point 3 above apply.