Site icon Siskinds Law Firm

Are we there yet? Solidifying the U.S. – E.U. privacy landscape with President Biden’s new Executive Order

On October 7, 2022, President Biden signed an Executive Order (“E.O.”) on Enhancing Safeguards for United States Signals Intelligence Activities. Businesses might be wondering: What, if anything, does this mean for me?

Quite simply, if your business transfers personal information from one country or state / province to another country or state / province, you should know (1) what is mandated of you by law and (2) the best practices of how to facilitate such transfers, to bolster your cybersecurity.

This blog will: first, provide the general backdrop leading to this E.O.; second, summarize President Biden’s E.O.; and third, discuss your business’ next steps.

Background

The E.U. has a generally applicable privacy law known as the General Data Protection Regulation (“GDPR”). This law regulates your ability to export the personal information (called “personal data” in the European context) of Europeans to other countries. Generally speaking, to export personal information from the E.U. to another country, you need either an adequacy decision from the European Commission or to implement appropriate legal safeguards; both routes intend to ensure that the transferred personal information will receive a level of legal protection equivalent to the GDPR. The two most common appropriate legal safeguards are binding corporate rules or the E.U. standard contractual clauses.

Exporting personal information from the E.U. to a country already found to be adequate by the European Commission is the safest and quickest method. For example, the Commission has decided that Canada is an adequate jurisdiction in respect to private-sector companies collecting, using, and disclosing personal information in the course of commercial activities.

The United States and its Privacy Shield program used to be adequate. However, in July of 2020, the Court of Justice of the E.U. (the “CJEU”) released the landmark Schrems II case, which held that transfers of personal information to the U.S. from the E.U. could not be based on the U.S. Privacy Shield program because such program did not create an “adequate” level of data protection comparable to that under European Privacy Law (i.e., the General Data Protection Regulation—initialed to “GDPR”).

At the heart of the CJEU’s analysis involved:

Therefore, since Schrems II, the E.U. does not consider the U.S. to be an “adequate” jurisdiction. Consequently, companies exporting E.U. personal information to the U.S. must place appropriate legal safeguards. However, due to the three reasons provided immediately above, it has become difficult for businesses to demonstrate that their applied safeguards actually create an appropriate level of legal protection.

In March 2022, the E.U. and U.S. reached “an agreement in principle” to a new Trans-Atlantic Data Privacy Framework, which would assist in the transfer of data between the E.U. and U.S. However, months passed without further details of what exactly this framework would look like.

Good news: your business’ trans-Atlantic data flows may get a little easier, soon

President Biden’s new E.O. generally provides the following:

Practically speaking, the E.O.’s exact specifics don’t exactly impact your business because it’s an executive order to U.S. intelligence agencies. The E.O. essentially represents the U.S. Commander and Chief tying his hands and the hands of the intelligence community. What’s important to you is how this E.O. impacts the legal uncertainty surrounding E.U. to U.S. transfers of data.

Next steps?

The most immediate impact is likely in negotiations with E.U. businesses. If you propose to transfer E.U. personal information to the U.S., a common rebuttal is often to point to the concerns raised in the Schrems II decision. You, as a business, can now point to this new E.O. to reassure them that there are additional data safeguards.

Otherwise, the U.S. will likely push for an adequacy decision from the European Commission. If the Commission confirms U.S. adequately, then cross-border businesses no longer need to transact within the ambiguity of whether their additional safeguards are satisfactory.

However, it is important to recognize that the E.O. is just an E.O. — it could be subject to amendment or revocation by any subsequent president. Additionally, even if President Biden’s E.O. leads to an adequacy decision, that decision could again be challenged in a European court. Lastly, President Biden’s E.O. does not eliminate the need for substantive U.S. privacy reform.

What are the takeaways for businesses?

Privacy and data export laws are becoming increasingly complex, and so are your business’ rights and obligations. Fines are becoming steeper for violating privacy legislation. For example, under the GDPR, administrative fines could reach €20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Likewise, Quebec’s new privacy law may subject your business to a comparable amount in Canadian dollars. If you transfer information across borders, you should seek legal advice.

If you have any questions related to this Article’s content, you may reach out to any lawyer in Siskinds’ Privacy, Cyber & Data Governance Team. You can also reach out to me, Savvas Daginis — a Canadian and American Business, Technology, and Privacy Lawyer — at savvas.daginis@siskinds.com if you have any questions.

Exit mobile version