The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

Executive Order for EU-US data flows

On October 7, 2022, President Biden signed an executive order (Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities – “EO”) regarding new safeguards under the U.S.-EU political agreement for the transfer of personal data and, in particular, for possible data access by federal security agencies.

Privacy Shield

Previously, the Privacy Shield program had been the subject of an adequacy decision by the EU Commission; as a result of that decision, from 2016 personal data flows between business entities between the two sides of the Atlantic could be considered free, based on Article 45 of the GDPR. The program required compliance with seven data protection principles and annual self-certification by the company concerned, to the Department of Commerce about adherence to those principles.

Schrems II Consequences

The CJEU’s ruling on the Schrems II case had invalidated the Privacy Shield program that was deemed unsuitable to provide adequate safeguards for the rights and freedoms of European data subjects, especially with regard to the indiscriminate power of data access by law enforcement and federal security agencies.

The Court’s decision in July 2020 (C-311/18, Facebook Ireland and Schrems) has the consequence of taking away an important instrument of legitimacy for trans-Atlantic flows of personal data and raises the question of finding an alternative legal solution, which, however, is not immediately achievable.

While waiting for the time required by the conduct of new U.S.-EU political negotiations for the adoption of a replacement agreement to the Privacy Shield, exporting data controllers have had to make use of one of the additional safeguards in Articles 46-47 of the GDPR. The distinction in legal effect between the Commission’s adequacy decision regarding a particular shared program and the adoption of one of the aforementioned safeguards in Articles 46-47 of the GDPR is significant: in the former case, data flows are legitimate with respect to all those who are members of the program; whereas in the case of the aforementioned safeguards, only flows that affect the signatories to specific contractual agreements (e.g., SCC SCC or BCR) or who are in one of the additional conditions provided for in Article 46 (adherents to codes of conduct or certification mechanisms and others). 

Transfer impact assessment

A further consequence of the CJEU’s decision in the Schrems II case is that it has required data exporters, data controllers and processors, to subject the transfer to a prior assessment (so-called “TIA” – Transfer Impact Assessment) covering: 

  • Verification that U.S. law is in accordance with essential European safeguards, i.e.:
  1. Provide for clear, precise and accessible laws
  2. Ensure that processing is necessary and proportionate with regard to the legitimate objectives pursuedù
  3. Include an appeal mechanism
  4. Include effective means of remedy for data subjects 
  • The assessment of whether the practice adopted by U.S. government agencies undermines the law of that country. 

Where this assessment concludes that U.S. law or practice fails to protect the fundamental rights of data subjects, exporting subjects should identify and implement additional measures that may include technical, contractual, or operational safeguards to compensate for these shortcomings.