President Biden recently signed an executive order establishing the implementation of the new EU-U.S. Data Privacy Framework, which would provide for the possibility of the lawful transfer of personal data from the European Union (EU) to the United States (U.S.), while ensuring a strong set of data protection requirements and safeguards.[1]  Once approved by the European Commission (EC), the new Framework would replace the “Privacy Shield” framework, which was invalidated by the Court of Justice of the European Union (CJEU) in the case commonly known as Schrems II.

It is expected that the new Framework will be effective by the end of the first quarter of 2023, after the EC’s review of the executive order and preparation of a draft adequacy decision, the issuance of a non-binding opinion by the European Data Protection Board, a vote of approval of the decision by EU member states, and formal adoption by the EC College of Commissioners.[2] On the basis of the new Framework, EU (and later European Economic Area) businesses would be able to legally transfer personal data to U.S.-based companies that were self-certified the new Data Privacy list at the U.S. Department of Commerce.

There are three components to the new EU-U.S. Data Privacy framework: (a) limits on U.S. surveillance programs; (b) sufficient redress mechanisms to pursue alleged violations; and (c) the Framework’s commercial data protection principles.

In Schrems II, the CJEU declared the Privacy Shield framework invalid because the court found there were insufficient restrictions on U.S. signals intelligence activities and inadequate redress rights for individuals who wanted to challenge what they considered to be unlawful U.S. government surveillance. Biden’s executive order addresses the CJEU’s findings by expressly mandating necessity and proportionality limits on U.S. surveillance programs and including oversight procedures to verify compliance by U.S. intelligence authorities. The executive order also includes other specifics, such as identifying what signals intelligence can be collected, how it can be used and shared, and how long it can be maintained. 

In addition, Biden’s executive order directed the Department of Justice to adopt regulations[3]  to establish a Data Protection Review Court (DPRC) for individuals to challenge U.S. government surveillance activities. The DPRC will be a second level of review in the redress mechanism, the first level being the Civil Liberties Protection Officer (CLPO) of the Office of the Director of National Intelligence.  The CLPO will also provide training to U.S. intelligence authorities and review their compliance with the executive order and U.S. intelligence priorities. The DPRC will independently review the CLPO’s determinations. 

The U.S. Department of Commerce (Department) has authority over the last component of the new Framework, the commercial data protection principles and self-certification process. The Department is currently updating its requirements for companies to self-certify to the commercial data protection principles.  While the CJEU did not question these commercial principles in Schrems II,  there will still be some changes to these principles because of the need to update references from the 1995 EU Data Protection Directive to the General Data Protection Regulation (GDPR), which went into effect after the Privacy Shield framework was adopted. These modifications include changing the definitions of personal data etc., to conform to the GDPR.

Until the new Framework is adopted, U.S. companies should consult with legal counsel to insure that any transfers of personal data (as defined in the GDPR) to the United States are done in compliance with law.


[1] See https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/ .

[2] See https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_6045.

[3] See https://www.justice.gov/opcl/redress-data-protection-review-court.