President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework

If you weren’t already aware, it is currently illegal to transfer personal data from the EU to the US. In fact, it is illegal to transfer personal data from an EU country to a non-EU country that is not exempt, have appropriate safeguards in place or if there isn’t a derogation for specific situations (such as explicit consent given by the data subject).

We have great news for companies with EU - US operations

On Friday 7 October 2022, President Biden signed an Executive Order to implement commitments made by the US to the EU earlier this year to bolster personal data privacy laws in the US.

Practically speaking, this means that in relation to personal data of Europeans transferred to the US, the new Executive Order provides for:

  • Binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;

  • The establishment of an independent and impartial redress mechanism to investigate and resolve complaints regarding access to their data by US national security authorities.


What this means for you?

This is particularly great news for companies who have operations in Europe and US or European companies that are planning to expand to the US. Companies will hopefully soon be able to transfer, share, analyse and compare personal data between the markets without having to jump through hoops to identify what appropriate safeguard to use. 

Since the Schrems II judgment by the Court of Justice of the European Union (CJEU) in July 2020, the invalidation of the Privacy Shield has caused a substantial negative impact on organisations that transfer or share personal data on customers, employees and “other” data subjects in Europe to their US entity. In particular, small / mid-sized companies with limited resources have been hit the hardest.

When is this in force?

Having the executive order in place will allow for the European Commission to start its procedure to adapt an adequacy decision on data transfers to the US. The Commission has not yet presented a time plan, and the draft adequacy decision needs to pass the European Data Protection Board (a group consisting of representatives from all of the EU supervisory authorities) and a committee composed of representatives from the EU Member States. Albeit its blurry time plan the Commission is optimistic stating that there are significant improvements compared to Privacy Shield and that the safeguards included in the executive order address the concerns lifted by CJEU when declaring Privacy Shield-unlawful.

When the adequacy decision is in place personal data will once more be able flow freely between the EU and the US, provided that the receiving company is certified by the Department of Commerce. 

The White House’s statement on Friday highlights that “transatlantic data flows are critical to enabling the $7.1 trillion EU-US economic relationship”. Given the need for an economic stimulus, there is no doubt that all parties involved would be motivated to increase the efficiency and effectiveness of the EU-US relationship.

For more updates, sign up to PocketLaw to ensure you have all the information you need to start and grow your business!


Book a personalized demo

Enterprise ready.

ISO 27001 certified and GDPR compliant. Data encrypted at rest with AES 256 and in transit with TLS 1.2+.

For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.