Out-Law News 1 min. read
04 Jul 2023, 2:16 pm
The US government has said it has implemented “privacy and civil liberties” safeguards relevant to how EU citizens’ data may be handled by US authorities in a move designed to facilitate the free flow of personal data across the Atlantic.
The EU-US Data Privacy Framework (DPF), colloquially referred to as ‘Privacy Shield 2.0’, has been drawn up by EU and US negotiators as a means by which to help businesses transfer personal data from the EU to the US in a way which meets the requirements of EU data protection law. However, the framework has yet to take effect.
The European Commission provisionally endorsed the proposed framework late last year, but Didier Reynders, European commissioner for justice, has previously said that changes on the US side, committed to in an executive order issued by US president Joe Biden last autumn, needed to be implemented before a final decision would be made by the Commission.
Various concerns about Privacy Shield 2.0 have been raised by MEPs and EU data protection authorities in scrutinising the draft ‘adequacy’ decision reached by the Commission. Among other things, both MEPs and the European Data Protection Board (EDPB) specifically said the Commission should not adopt its final decision until all US intelligence agencies implement commitments made in Biden’s executive order.
On Monday, the Office of the Director of National Intelligence (ODNI) in the US published new policies and procedures that the intelligence community will observe “to implement the privacy and civil liberties safeguards specified” in the executive order (EO). Bespoke policies and procedures have been drawn up for individual agencies, including the CIA, the FBI and the NSA.
The ODNI said: “The IC (intelligence community) elements’ procedures released today further implement the EO’s requirements, and thereby the United States’ commitments under the EU-U.S. DPF. As required by the EO, each IC element developed its procedures in consultation with the Attorney General, the ODNI Civil Liberties Protection Officer (CLPO), and the Privacy and Civil Liberties Board. In implementing the EO’s safeguards, each set of procedures is tailored to the authorities, missions, and responsibilities of the IC elements.”
Separately, the IAPP has reported that the US Department of Justice has “designated EU member states along with Iceland, Liechtenstein and Norway as ‘qualifying states’ whose citizens are able to file for redress through the proposed Data Protection Review Court while obtaining enhanced US privacy protections”. MEPs and the EDPB previously identified deficiencies with the redress mechanism provided for under Privacy Shield 2.0.
Last month, the UK and US governments announced that they had reached an agreement in principle over the establishment of a new legal framework for facilitating the transfer of personal data from the UK to the US. The new “data bridge” would be an extension of the EU-US Privacy Shield 2.0.