Joe-y doesn't share... data. The EU to US data transfer discussion continues with Biden Executive Order

It has been a couple of years since any US company has transferred EU personal data to the US without a concern of fines for contravening the General Data Protection Regulation (“GDPR”). Many EU companies have just decided to stop sharing their data with US counterparts altogether. This is all due to the 2020 Schrems II decision that determined the US did not have adequate protections in place for personal data, and as such, personal data should not be sent there.

In 2020, the European Court of Justice (“CJEU”) invalidated the EU-US Privacy Shield and almost stopped all commercial transfers of personal data from the EU to the US. The decision put a proverbial spanner in the spokes of EU-US commerce. In that case, Max Schrems argued that Facebook (now Meta) was transferring the personal information of EU citizens to the United States in contravention of GDPR. The CJEU determined that Facebook and other US companies were subject to unfettered US National Surveillance Laws that allowed the interception of foreign personal data transfers without notice or consent. In the wake of this decision, many US companies with EU operations have struggled to find a way to move forward in commerce while remaining in compliance with GDPR. The only options for companies became separating their EU operations from their US operations (usually through hosting data in the EU), stopping business operations in the EU, or to argue that their supplementary measures were sufficient to protect personal information (regardless of the CJEU stating otherwise).

There was almost no hope in sight for US companies… until now?

In October 2022, Joe Biden signed an Executive Order (“EO”) targeting the implementation of an EU-US data privacy framework that would facilitate EU-US data transfers once again. The EO is intended to provide EU individuals with broader rights to complain if their personal information is intercepted by US authorities, and aims to limit the surveillance rights of US authorities. It has prompted new found optimism in the minds of many US companies and is the first step in clarifying the grey area of EU-US personal data transfers.

There are still some concerns that this EO won’t quite address the outstanding issues surrounding data transfers. For example, critics have noted that the “court” created by the EO isn’t quite a court, and the legal remedies provided by the Data Protection Review Court may not be adequate to compensate individuals for the loss or unauthorized use of their data. These issues will need to be closely reviewed by the European Commission and member states to determine if the EO is enough to renew faith in EU-US data transfers. The European Commission review the adequacy of the measures adopted by the EO, and determine if free transfers of personal data can be made from the EU to the US. It is unclear when the EU Commission will make this determination, but it will be at least 6 to 12 months.

Until the EU Commission completes a thorough review of the EO and determines whether to classify the US as a country that adequately protects individual privacy rights, companies must continue to utilize transfer mechanisms such as the Standard Contractual Clauses. This should not become a reason to be lax in GDPR compliance, and companies should remain focused. This is not yet a guarantee of free EU-US data transfers, so don’t be surprised if companies and individuals are still reluctant to share their personal data with the US for the foreseeable future.