In an Effort to Comply: Biden Administration Response to EU-U.S Data Privacy Framework

Data privacy protections in the wake of the European Union’s General Data Protection Regulation (“GDPR”) have set a high bar for compliance concerning companies’ handling of consumer data. Since its inception in May 2018, large and small companies interacting with E.U. member state citizens’ personal data have had to adjust their internal practices to ensure compliance with the GDPR requirements. This has impacted companies differently, as some have had to bear the burden of higher costs and more complicated means to achieve compliance. For those who fail to comply, the financial burden can be catastrophic. The baseline financial penalty sits at up to 4% of a company’s annual global revenue or 20 million euros, whichever is larger. 

To further complicate this regulatory framework, in 2020, in the Schrems II decision, the European Court of Justice invalidated the EU-U.S. Privacy Shield. This decision severely limits vital mechanisms for transferring personal data between the E.U. and the U.S. and impacts how national security agencies operate in the preservation of personal data. Some argue that the E.U. has set a standard that is too unilateral and too EU-centric, and the national security interests of other countries may outweigh broad compliance. However, the E.U. hedges its bet that the financial incentive to U.S. companies to allow for seamless cross-border data flows is sufficient to spark change in U.S. policy on data use and
protection. 

Considering these issues, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) last week. This Executive Order is in response to the European Union-U.S. Data Privacy Framework (“EU-U.S. DPF”) commitments President Biden and European Commission President von der Leyen entered in March of 2022. Considering the weight of the $7.1 trillion EU-U.S. economic relationship, President Biden aims to address the concerns of the Schrems II decision with this executive order. The order adds
requires:

• Further safeguards for U.S. signals intelligence activity;
• Establishes mandates for the handling of personal information;
• Requires the U.S. Intelligence Community elements to update their policies and procedures;
• Calls on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policy and
  procedure; and
• Creates a multi-layer mechanism for individuals to obtain independent and binding review by:

• A Civil Liberties Protection Officer; and
• As a second layer, a Data Protection Review Court under the authority of the Attorney General.

With an ultimate goal of inching toward compliance and a subsequent adequacy determination from the  European Commission, the Biden Administration hopes to restore a vehicle for data transfer mechanisms under E.U. law. It will be interesting to see how the Biden Administration can address these provisions, ensure their adoption and execution, and ultimately provide the level of oversight and accountability measures necessary to comply with GDPR and its progeny. 

Article Written by Lucas Di Lena. 

Sources

·       The White House, FACT SHEET: President Biden signs executive order to implement the European Union U.S. data privacy framework, The White House, (Oct. 7 2022), Available at https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacyframework/#:~:text=Today%2C%20President%20Biden%20signed%20an,announced%20by%20President%20Biden%20and
(Last visited Oct. 9, 2022).

·       The White House, Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities, The White House, (Oct. 7 2022), Available at https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/
(Last visited Oct. 9, 2022).

·       Intersoft Consulting, Art. 2 GDPR Material Scope, Intersoft Consulting, Available at https://gdpr-info.eu/art-2-gdpr/ (Last visited Oct. 7 2022).

·       Joshua P. Meltzer, The Court of Justice of the European Union in Schrems II: The impact of GDPR on data flows and national security, The Brookings Institute, (Aug. 5, 2020), Available at https://www.brookings.edu/research/the-court-of-justice-of-the-european-union-in-schrems-ii-the-impact-of-gdpr-on-data-flows-and-national-security/(Last visited Oct. 9, 2022).

·       Dimitri Sirota, Data Privacy Day: Here’s What The EU’s Schrems II Decision Means For US Companies, Forbes, (Feb. 17, 2021, 09:00 a.m.), Available at https://www.forbes.com/sites/forbestechcouncil/2021/02/17/data-privacy-day-heres-what-the-eus-schrems-ii-decision-means-for-us-companies/?sh=17232021963a (Last visited Oct. 7, 2022).

·       George Washington University Regulatory Studies Center, Unintended Consequences of GDPR A Two-Year Lookback, Regulatory
Studies Center, (Sept. 3, 2020). Available at https://regulatorystudies.columbian.gwu.edu/unintended-consequences-gdpr (Last visited Oct 9, 2022).

·       George Washington University Regulatory Studies Center, Is GDPR the Right Model for the U.S.?, Regulatory Studies Center, (Apr. 4, 2019). Available at https://regulatorystudies.columbian.gwu.edu/gdpr-right-model-us (Last visited Oct. 9, 2022).

·       Ryan Browne, Fines for breaches of EU privacy law spike sevenfold to $1.2 billion as Big Tech bears the brunt, CNBC, (Jan. 17, 2022, 09:58 p.m.), Available at https://www.cnbc.com/2022/01/18/fines-for-breaches-of-eu-gdpr-privacy-law-spike-sevenfold.html#:~:text=Failure%20to%20comply%20can%20result,whichever%20is%20the%20bigger%20amount (Last visited Oct. 9, 2022).