President Biden signed a new executive order on Friday, with a framework that seeks to replace the existing Privacy Shield program. That program was found to be an invalid mechanism for transferring personal data between the EU and the US in 2020 (the Schrems II decision). Since then, companies have struggled to establish an appropriate mechanism for transfer of information from the EU to the US.
As many are aware, under EU law, personal information cannot go from the EU to a third country unless it has been deemed to have “adequate” protections of personal information — except in limited circumstances. Prior to Schrems II, the EU-US Privacy Shield was one such circumstance. It was struck down, in part, however, because of the EU’s concerns with EU residents’ personal information being collected and used by US intelligence agencies. Under the newly proposed program, those agencies’ ability to process such data is restricted: their use of “signals intelligence” limited, inter alia, to that which is necessary to further a “validated” intelligence activity and use proportional to that activity. The order also creates a review process to oversee how agencies access individuals’ information for intelligence surveillance purposes.
The program is now with the EU to review, and an agreement may be in place in March 2023. Privacy activists, including Schrems, however, have already begun criticizing the program as insufficient. For those keeping track, this is the third attempt at such a transborder agreement, with the Shield’s predecessor -the EU-US Safe Harbor- struck down in 2015.
Putting It Into Practice: As we wrote in April, companies right now will need to continue to take appropriate measures to address EU legal requirements for transfers of personal information out of the EU. For transfers to the US, this might include standard contractual clauses, transfer impact assessments, and supplemental measures.