Shielding EU/US Data Transfers: Inside the New Privacy Framework

December 12, 2022 | Podcasts



In a global economy with personal data flowing between countries on a regular basis, President Biden in October 2022 signed an executive order directing the steps that the United States will take to implement its commitments under the EU-US Data Privacy Framework. In this Fast Takes episode, Jackson Walker attorneys John Jackson and Manny Schoenhuber discuss the implications of this executive order.

Featured This Episode

Our Host:

Courtney WhiteCourtney White
Research Attorney, Dallas & Houston
Follow on LinkedIn »
Instagram: @courthousecouture

Episode Guests:

Suzan KedronJohn Jackson
Partner, Dallas
Trial & Appellate Litigation/Cybersecurity, Data Protection, & Privacy
Follow on LinkedIn »
Twitter: @AttorneySomm
Manny SchoenhuberManny Schoenhuber
Associate, Houston
International/Trial & Appellate Litigation
Follow on LinkedIn »
Twitter: @GermanLawyerUSA

Episode Transcription

Courtney White: Hi, everyone. I am Courtney White, and this is Jackson Walker Fast Takes. We live in a global economy, and digital data, including personal data, flows between countries on a regular basis. In 2020, the Court of Justice of the European Union declared that the EU/US Privacy Shield is invalid because it does not provide an adequate level of protection for the transfer of personal data from the EU to the United States. On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, directing the steps that the U.S. will take to implement its commitments under the EU/US data privacy shield framework. According to the White House, transatlantic data flows are critical to the $7.1 trillion EU/US economic relationship. Today, I have asked two of my colleagues, John Jackson, a litigation partner in Dallas, and Manny Schoenhuber, an associate from Houston, to discuss the implications of this executive order.

John, can you give the underlying facts of the EU ruling and the background over the past two years that led to this executive order?

John Jackson: Yes, thanks very much. There’s an individual who resides in Austria named Max Schrems, and he’s been an activist on data privacy issues for a number of years and frequently files legal challenges with the Supervisory Authorities in the EU, seeking to promote data privacy legislation and to have more strict requirements for processing personal information of EU residents. He had been a Facebook user for a number of years, and he filed a challenge to Facebook’s processing of information with their United States-based servers when they obtained that information from Ireland, which is where he was using Facebook, on the grounds that the United States did not have the same protections as those that are offered by the GDPR.

In particular, the two things that were the basis for his objection were the fact that U.S. intelligence services, for example, did not have as many restrictions to accessing information as required in the GDPR. In the GDPR, they need to be able to show that access to the personal information is strictly necessary or that there’s some proportionality to be able to access the information. That’s in large part based on historical issues that they’ve had in Europe with not trusting governments and their use of personal information, so that was a very important issue for the EU. That was one of the bases for striking the U.S. law – the U.S. privacy shield, that is. The other basis was the fact that under the GDPR, there has to be a way for individuals who have grievances to seek relief and to challenge the practices. At the time, there was not a really good way for individuals aggrieved by that sort of processing by intelligence agencies to seek redress for those claims.

Courtney White: Thank you for giving us that background. That was very helpful, John.

Manny, can you please tell us how this executive order will impact the international companies doing business in the U.S.?

Manny Schoenhuber: Thanks, Courtney. Absolutely. I would say, generally speaking, the executive order is beneficial to international and especially European companies with business in the U.S., because you plainly have one framework for both the EU and the U.S. data, which will hopefully streamline compliance. European Union companies can then implement for their U.S. business what they already know from their activities in the European Union. So, that should make things a lot easier. It should restore trust and stability to the transatlantic data flow. From a legal perspective, it should also provide greater certainty to safely and securely transfer European Union personal data to the U.S.

Obviously, the potential downside is that there could be too much bureaucracy and that the European Union may create too many hurdles because, generally speaking, it takes data protection and privacy a bit more serious as compared to the U.S. So, there could be a potential clash between the cultures. Hopefully, however, I would say that it is a good thing for the European Union and U.S. relationship.

Courtney White: Thank you, Manny. This question is for both of you: How will we know that this executive order has been helpful? Is there any way to measure it?

John Jackson: Yeah, I’ll take that first, Courtney. Thanks very much. I think that the hope is that this executive order will lead to the EU recognizing that the U.S. now has a framework that’s essentially equivalent to that in the EU, and that would hopefully pave the way for the reinstatement of the US/EU Privacy Shield and that made it a lot easier for companies to be able to process information back and forth between the EU and the U.S. So, hopefully, that will be reinstated in the not-too-distant future, as that would make it a lot easier – especially for smaller companies – to engage in transfers without having the same sort of transaction costs that they’ve had the last couple of years in terms of having to negotiate and enter into standard contractual clauses and other things that had been necessary since the U.S. Privacy Shield framework was stricken.

Manny Schoenhuber: And I totally agree with John on this one. Obviously, only time will tell whether the executive order will be helpful or not. But I think we will know for sure that it was helpful if it actually fosters and actually increases the European Union and U.S. business collaborations, if it actually makes data exchange between the EU and U.S. less complex—I think that’s another important point—while, at the same time, also making it more secure. Most importantly, from a business perspective, as obviously that the executive order does not create additional compliance burdens or hurdles for the businesses.

Courtney White: Thank you both for explaining and for joining me today. I really enjoyed our discussion, John and Manny.

The music is by Eve Searls.

The opinions expressed do not necessarily reflect the views of the firm, its clients, or any of its or their respective affiliates. This article is for informational purposes only and does not constitute legal advice.

Related Insights: