Biden Administration implements data protection framework U.S.-EU data sharing 

Cross-border data transfers might be necessary for generating insights, but they’re often a data protection nightmare. 

Ever since the Court of Justice of the European Union (CJEU) voided the EU-U.S. Safe Harbor agreement and Privacy Shield in its Schrems II 2020 decision due to concerns that U.S. nation-state surveillance violated the GDPR, there’s not been a legal framework for transferring EU citizen’s personal data to the U.S. 

However, this is no longer the case. Today, President Biden signed an Executive Order, committing the United States and the European Commission to form a new Trans-Atlantic Data Privacy Framework, which establishes a legal mechanism that organizations can use to legally transfer the personal data of EU citizens to the U.S. The new cross-border guidelines come as the U.S. Commerce Department also just issued strict rules for American companies to cut off China’s microchip supply.

According to a statement released by the White House, the Executive Order clarifying the cross-border guidelines gives data subjects the ability to seek redress if they believe their personal data was collected by signals intelligence “in a manner that violated applicable U.S. law.”

Removing uncertainty over cross-border data protection standards  

The Executive Order comes after a wave of uncertainty surrounding cross-border data protection standards following the Shrems II decision, which, as noted above, invalidated the EU-U.S Safe Harbor agreement as well as the Privacy Shield, and reduced support for transferring personal data from the EU to the U.S.

The court noted in its judgment that the data protection practices of the U.S. government’s surveillance programs “cannot be regarded as limited to what is strictly necessary,” and fundamentally didn’t respect the privacy of EU data subjects. 

Following the decision, many organizations began to review their policies around processing and transferring the data of EU citizens. This process was largely based on guesswork —due to a lack of centralized guidance — which led to serious enforcement actions against non-compliant organizations. 

For instance, on January 13, 2022, the Austrian Data Protection Authority decided that Google Analytics violated the GDPR, alleging that the organization transmitted data to the U.S. while failing to protect it from U.S. government surveillance. This wasn’t in compliance with the Schrem’s II decision on data transfers. 

The lack of clarity also led companies like Meta to consider shutting down services like Facebook and Instagram in Europe if they weren’t able to legally transfer data back to the U.S.

Privacy Shield 2.0 will reduce some of this ambiguity, so enterprises can begin processing data across borders with more legal protections and less exposure to regulatory liabilities. 

“Today’s Executive Order implementing the EU-U.S. Data Privacy Framework clears a path for transatlantic business and diplomacy alike,” said Caitlin Fennessy, VP and chief knowledge officer at the International Association of Privacy Professionals. “Since the EU’s Schrems II decision invalidated the Privacy Shield more than two years ago, personal data flows from the EU to the U.S. have been legally questionable. Some might argue, they were effectively banned.”

Restoring trust in the data sharing landscape 

While the EU still needs to vet Privacy Shield 2.0 and confirm it meets the standards outlined by the Schrems II ruling, the future of EU-U.S. data sharing is much more promising than the two years prior. 

“The EO signals an important step to activate trans-Atlantic data transfers by and between businesses. The EO aims to provide increased protection of individual privacy from government surveillance, which in turn provides the confidence for both the U.S. and the EU to resume negotiations for commercial data transfers,” said Lydia Clougherty Jones, a senior director and analyst at Gartner. 

For enterprises, now is the time to take stock of the regulatory landscape and consider what data processing and innovation use cases are available and compliant. As Jones notes, the order signals that enterprises will have more flexibility in the future to pick data use cases aligned to economic and public value. 

“While it may [take] several months to finalize a reactivated U.S./EU agreement, businesses should start preparing now. Start with ideation — what business outcomes can we accelerate from this anticipated change? Then look at whether increased flexible data sharing will yield the rights you need in the data to reach those outcomes,” Jones said.