Next Step in Privacy Shield Replacement – President Biden Signs Executive Order for U.S.-EU Trans-Atlantic Data Sharing Agreement

This morning, President Joe Biden signed an Executive Order detailing enhanced commitments towards facilitating data transfers between the European Union and the United States. The White House had previously announced news of an initial agreement between the U.S. and the EU on March 25, 2022.  Biden’s Order seeks to end the stalemate regarding transatlantic data transfers following the EU Court of Justice’s 2020 decision invalidating the Privacy Shield and ruling that the U.S. did not sufficiently protect EU residents’ personal data.

Primarily, this Order prevents U.S. intelligence agencies’ unchecked collection of the electronic data of non-U.S. citizens (requiring U.S. intelligence agencies to only collect data for specific national security interests) and offers a new path of redress for non-U.S. citizens if they believe their data was improperly accessed or collected. The Order gives authority to the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) to formally investigate complaints of improper collection and handling of personal data and to issue binding decisions on whether improper conduct occurred. As a second layer of review, a new Data Protection Review Court (DPRC) within the U.S. Department of Justice will review the decisions of the CLPO.

This Order brings the U.S. one step closer to the creation of a new transatlantic data sharing agreement. The agreement is now subject to review and ratification by the European Commission, which could take up to six months.  If the European Commission issues an adequacy determination, which remains to be seen, U.S. companies will, hopefully, be able to rely on that determination unless and until that determination is successfully challenged by privacy advocates who have already signaled an intent to do just that. Still, this is a positive move toward a less cumbersome approach than the use of Standard Contractual Clauses.

For more information on this new data-transfer framework or privacy laws in general, please contact John Landolfi, Marcel Duhamel, Christopher Ingram, Christopher LaRocco, Gretchen Rutz or your Vorys attorney.