Client Alert: EU-US Data Privacy Framework
October 14, 2022
On October 7, 2022, the Biden Administration issued a long-awaited Executive Order focused on privacy and national security interests, in conjunction with the collection of data and information created outside the United States. The Executive Order can be found on the White House website.
Back in 2020, the European Union’s (EU) highest court struck down the Privacy Shield regulatory process, which was developed after the longstanding “Safe Harbor” method. This method was struck down by the Court of Justice of the European Union (CJEU) in late 2015, in the aftermath of disclosures in 2013 by Edward Snowden regarding the National Security Agency’s (NSA) surveillance programs and related data collections.
Since 2020, there has been no risk-free way to manifest data transfers between EU and US businesses. Although, there have also been no fines manifested against US businesses that have been grounded solely in the absence of a privacy shield or safe harbor. The EU has strongly implied that if a US business is otherwise compliant with the GDPR, the data collection processes of the US government will not be the sole grounds for finding that a US business is violating EU privacy laws.
US-based businesses, and the US government, hope that the EU’s announcement that it will review the recent Executive Order and create a draft adequacy decision. And as a result, commence an adoption process regarding the principles set forth in the Executive Order.
While the Executive Order doesn’t include extensive mandates or regulations on US-based businesses, it does include language that regulates government intelligence agencies’ data collection activities “only in pursuit of defined national security objectives” by “tak[ing] into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence,” and by being “conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority”.
Accordingly, since the issuance of this Executive Order strongly implies that the Biden Administration will not add new obligations to US businesses’ data collection processes this fall. Now is a good time for businesses to review their Terms of Use and Privacy Policies, to ensure that they are in compliance with current federal and state laws regarding data collection and usage.
Berger Singerman’s Intellectual Property Team is available for consultations and discussions on these and related issues. Please feel free to reach out to our attorneys, including longtime TOU/Privacy Policy author Heidi Tandy for more information.