The EU-U.S. Data Privacy Framework: Background, Implementation, and Next Steps
Legal Sidebari
The EU-U.S. Data Privacy Framework:
Background, Implementation, and Next Steps
October 24, 2022
On October 7, 2022, President Biden signed and issued the Executive Order on Enhancing Safeguards for
United States Signals Intel igence Activities (the Data Protection EO or the EO). The Data Protection EO
is the latest U.S. action to implement the new European Union (EU)-U.S. Data Privacy Framework (Data
Privacy Framework), which the United States and the EU negotiated to replace the former EU-U.S.
Privacy Shield Framework (Privacy Shield). The new Data Privacy Framework and the EO implementing
it are key pieces to facilitate transatlantic data flows and enable U.S. companies to comply with EU data
protection law while stil being subject to U.S. foreign intel igence surveil ance laws. This Legal Sidebar
explains the circumstances leading to the development of the Data Privacy Framework, U.S. steps to
implement the framework, and issues of possible interest to Congress.
Background
In 2018, the EU enacted the General Data Protection Regulation (GDPR), an update to its 1995 Data
Protection Directive that imposes obligations for handling personal data in the EU. Among the GDPR’s
proscriptions are limits on when personal data may be transferred to countries outside the EU. Under
Article 45 of the GDPR, an entity may transfer EU personal data to a foreign country that the European
Commission has determined ensures an “adequate level of protection” for personal data. The European
Commission has recognized 14 different jurisdictions as providing an adequate level of protection to
satisfy Article 45. Transfers to a country that does not provide an adequate level of protection may stil be
lawful under the GDPR: Articles 46 and 49 define the situations in which an entity may transfer EU
personal data to a country that has not been deemed adequate.
The United States has attempted to meet Article 45’s standard by developing data protection frameworks
in coordination with the EU. Privacy Shield provided a mechanism for EU-U.S. data transfers from 2016
until the Court of Justice of the European Union (CJEU) declared it invalid in 2020. Under Privacy
Shield, participating commercial entities transferring personal data from the EU to the United States had a
number of data protection obligations, including adherence to seven data protection principles and
annual y self-certifying adherence to these principles to the Department of Commerce. The CJEU’s
decision invalidating Privacy Shield relied primarily on the extent of U.S. surveil ance of individuals
located outside the United States under Section 702 of the Foreign Intel igence Surveil ance Act (FISA),
Congressional Research Service
https://crsreports.congress.gov
LSB10846
CRS Legal Sidebar
Prepared for Members and
Committees of Congress
Congressional Research Service
2
enacted in 2008, and Executive Order 12333, signed by President Reagan in 1981. Specifical y, the CJEU
determined that U.S. surveil ance under Section 702 and Executive Order 12333 is not limited to what is
“strictly necessary” and does not “lay down clear and precise rules” that “impos[e] minimum safeguards”
to protect personal data. The CJEU additional y held that EU individuals whose data is collected by U.S.
surveil ance do not have an adequate administrative or judicial remedy for unlawful use of their data. For
a detailed discussion of the decision invalidating Privacy Shield, see this CRS Report. For more on
Privacy Shield and EU-U.S. data flows general y, see this CRS Report.
After nearly two years of negotiations, the United States (as represented in negotiations by the
Department of Commerce) and the European Commission (the EU’s executive, responsible for
negotiating on behalf of the EU) announced an agreement in principle in March 2022 outlining a new
framework—the Data Privacy Framework—that would replace Privacy Shield. A fact sheet released by
the White House summarized the U.S. commitments under this framework, focusing on the government’s
responsibilities to strengthen privacy safeguards relating to surveil ance activities. The fact sheet
suggested that the Data Privacy Framework would not displace Privacy Shield’s obligations for
commercial entities. For more background, see this CRS In Focus.
Implementation of the EU-U.S. Data Privacy Framework
The Data Protection EO, titled “Enhancing Safeguards for United States Signals Intel igence Activities,”
attempts to address the CJEU’s criticisms of Privacy Shield: namely, that U.S. surveil ance does not have
adequate data protection safeguards and does not provide an adequate legal remedy for non-U.S.
individuals whose personal data has been unlawfully obtained. The Data Protection EO creates
obligations for al executive agencies involved in signals intel igence activities to conduct such activities
only in pursuit of twelve defined “legitimate objectives” and only as necessary to advance such
objectives. The EO also lists four “prohibited objectives”: suppressing criticism or dissent; suppressing
privacy interests; suppressing a right to legal counsel; and disadvantaging individuals based on ethnicity,
race, gender, gender identity, sexual orientation, or religion. The EO also directs agencies to limit “bulk”
surveil ance and to limit the dissemination and retention of personal data obtained through surveil ance.
The Data Protection EO prescribes oversight responsibilities for intel igence agencies, requiring each
agency to have an officer responsible for assessing compliance with the EO and other applicable U.S. law.
These requirements may be responses to the CJEU’s concern that laws authorizing U.S. surveil ance do
not “indicate in what circumstances and under which conditions” personal data may be collected or
provide “minimum safeguards” for the protection of personal data.
The Data Protection EO also establishes a redress mechanism to al ow individuals to chal enge unlawful
surveil ance practices. Under the EO, individuals may submit complaints to the Director of National
Intel igence’s Civil Liberties Protection Officer (CLPO), who is directed to investigate and, if necessary,
remediate complaints. The EO directs the Attorney General to establish a “Data Protection Review Court”
through which an individual may seek review of the CLPO’s disposition of their complaint. If the Data
Protection Review Court disagrees with the CLPO’s determination, it may order remediation on its own.
In contrast to the Foreign Intel igence Surveil ance Court, a judicial body with jurisdiction over
surveil ance applications brought under Section 702 of FISA, the judges of the Data Protection Review
Court are not to be federal judges. The EO requires that judges on the court be selected by the Attorney
General from “legal practitioners with appropriate experience in the fields of data privacy and national
security law” who are not U.S. government employees and, for the time of their tenure on the court, have
no other government duties. The selection criteria for the court’s judges may be intended to address the
CJEU’s concerns that the reviewing entity under Privacy Shield, a State Department official known as the
Privacy Shield Ombudsperson, was insufficiently independent from the United States government. The
National Security Division of the Department of Justice (DOJ) issued regulations establishing the Data
Protection Review Court shortly after the White House announced the EO.
Congressional Research Service
3
As discussed in this CRS Report, executive orders have the force of law when they rely on a
constitutional or statutory power granted to the President. The Supreme Court has understood the
President to be responsible for overseeing the foreign relations of the United States. Additional y, the
National Security Act of 1947 provides expansive power to the President to supervise intel igence
activities. President Reagan relied on this supervisory authority in issuing Executive Order 12333.
Next Steps
The CJEU’s decision invalidating Privacy Shield made transfers of EU data to the United States unlawful
under the GDPR, unless those transfers relied on the provisions of Articles 46 or 49. The EO and DOJ
regulations creating the Data Protection Review Court are necessary steps in the implementation of the
new Data Privacy Framework, but several steps remain before commercial entities may rely on the
Framework. One outstanding question is what exact obligations wil govern commercial entities. As
discussed above, because the CJEU’s decision rejecting Privacy Shield relied on the insufficiency of
safeguards in connection with U.S. intel igence operations, rather than the obligations imposed on
commercial entities, Privacy Shield’s obligations wil likely remain in place for commercial participants:
the White House and Department of Commerce have both indicated as much.
On the EU side, the European Commission must determine that the new framework provides an adequate
level of protection. A Q&A published by the European Commission lays out the exact steps in this
process in more detail, noting that the Commission wil adopt a final adequacy decision only after it and
several other EU institutions review and approve the framework.
If the European Commission determines that the new framework provides an adequate level of protection
to comply with European data protection law, its decision may face legal chal enges in EU courts.
Maximil ian Schrems, the Austrian privacy activist who brought the chal enge that led to the CJEU’s
invalidation of Privacy Shield (and also successfully chal enged Privacy Shield’s predecessor before the
CJEU), issued a preliminary statement through his organization that the EO is “unlikely to satisfy EU
law.” According to the European Commission’s Q&A, the Commission believes the EO’s safeguards and
redress mechanism appropriately address the CJEU’s concerns.
Considerations for Congress
The EO and implementation of the new Data Privacy Framework may raise several issues of potential
congressional interest. One issue may be whether Congress wishes to act to authorize U.S. participation in
the Framework, given the importance of transatlantic data flows to U.S.-EU trade and economic relations.
Presidents may revoke executive orders, and any possible future revocation of the Data Protection EO
could leave EU persons without the EO’s data protection safeguards and recourse mechanisms. Because
the CJEU’s decision invalidating Privacy Shield rested on the lack of adequate safeguards and legal
recourse, revoking the EO could threaten the viability of the new Data Privacy Framework. Congress
could attempt to provide these safeguards through legislation.
A separate but related issue is that the CJEU may determine that the safeguards provided for in the EO are
insufficient to assuage the court’s concerns with U.S. surveil ance. If the CJEU determines that U.S.
surveil ance as authorized by Section 702 of FISA does not satisfy EU data protection law, even with the
EO’s safeguards in place, ensuring the legality of EU-U.S. data flows may require amending FISA.
Section 702 of FISA is scheduled to expire at the end of 2023. As discussed in this Legal Sidebar,
Members of Congress have used past FISA reauthorizations to propose broader reforms to the law.
Congressional Research Service
4
Author Information
Eric N. Holmes
Legislative Attorney
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff
to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of
Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of
information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role.
CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United
States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However,
as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the
permission of the copyright holder if you wish to copy or otherwise use copyrighted material.
LSB10846 · VERSION 1 · NEW