On October 7, 2022, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’. The Executive Order addresses the concerns raised by the Court of Justice of the European Union (CJEU) when it invalidated the Privacy Shield in 2020, the previous framework that several companies relied to when transferring personal data from the EU to the US. The Executive Order, known as the Data Privacy Framework, includes enhanced safeguards that are designed to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security. Further, the Data Privacy Framework establishes a new redress mechanism, including the Data Protection Review Court (DPRC), which will resolve complaints from individuals regarding access to their data by US national security authorities.
The European Commission issued a draft adequacy decision on December 13, 2022, recognizing that the Data Privacy Framework provides comparable safeguards to those in the EU. The draft adequacy decision was transmitted to the European Data Protection Board (EDPB) for its opinion, whereas the European Parliament also issued its decision. The European Commission eventually decided to grant the US an adequacy finding on July 10,2023. This adequacy finding renders the Data Privacy Framework the new path for transatlantic data transfers. The working paper will discuss the predecessors of the Data Privacy Framework, the particulars of the Data Privacy Framework, and the consequences it will have for the EU-US transatlantic data transfers.