Update on Data Transfers to the U.S. - What Does the Executive Order Change?

On October 7, 2022, U.S. President Joe Biden, after consultation with the European Commission, signed an Executive Order (“E.O.”) "on Enhancing Safeguards for United States Signals Intelligence Activities" (White House press release from October 7, 2022). The E.O. is intended to better protect personal data of non-U.S. citizens transferred to the United States from access by U.S. authorities. It is intended to serve as the de facto basis for an adequacy decision by the European Commission, which is already in the pipeline, and which is expected to significantly facilitate the EU - U.S. data flows in the future.

Whether the E.O. can fulfil this function is still questionable. At this stage, however, there are already critical reactions from some supervisory authorities.

Content of the E.O.

The provisions of the E.O. are primarily intended to improve the protection of non-U.S. citizens in the event of interventions by the intelligence services. The previous regulations in this regard were criticized as inadequate by the Court of Justice of the European Union in the Schrems II judgment (CJEU judgment of July 16, 2020, C-311/18) (see also BfDI's summary of the judgment – in German). The CJEU primarily criticized the fact that access to data of non-U.S. citizens on the basis of certain surveillance provisions was largely unrestricted and that, in addition, there were no effective remedies to defend against interventions by US intelligence authorities.

Accordingly, the new E.O. aims to tackle precisely the deficits addressed by the CJEU:

  • Intelligence activities are to be carried out only if they are proportionate and necessary. In particular, the privacy and civil liberties of all persons, regardless of their nationality or country of residence, are to be taken into account prior to carrying out intelligence activities.
  • A two-layer redress mechanism will enable non-U.S. citizens to defend themselves more effectively against measures taken by the U.S. authorities. As a point of contact for complaints, they can turn to a "Civil Liberties Protection Officer" if they suspect that their personal data has been misused. In addition, they can challenge decisions by the Civil Liberties Protection Officer in a Data Protection Review Court.

How have the supervisory authorities reacted so far?

On the part of the German supervisory authorities, only the Bavarian and Baden-Württemberg data protection authorities have officially commented on the E.O. so far.

The representatives of the Bavarian data protection supervisory authority for non-public bodies assume that the E.O. can be taken into account within the transfer impact assessments in the future, but one must wait for its implementation. So far, the representatives of the Bavarian DPA have only commented in presentations, but an official publication on the website is to follow (see tweet by Dr. Carlo Piltz).

The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg generally questions whether an executive order can meet the high requirements of the GDPR, since formally it is only an internal instruction of the U.S. government and not a law (see the press release from October 26, 2022 – in German). However, other DPAs do not share this opinion and very much see the E.O. as a law (albeit not a parliamentary law). Further critique includes that the regulations of the E.O. are too vague and cannot be effectively enforced by EU citizens, as there is no remedy with regard to compliance. Furthermore, the independence of the Data Protection Review Court is not guaranteed, as the court is subordinate to the U.S. Department of Justice and thus not an independent court.

What does the E.O. mean for practice?

At this point, the E.O. does not provide any immediate relief. This is simply due to the fact that the contents and requirements of the E.O. must be implemented in practice. Until the European Commission adopts a decision recognizing the appropriateness of the level of data protection in the U.S., nothing will change in legal terms. A decision is currently expected in spring 2023. The legal situation on the U.S.’ side will also remain unchanged until the E.O. is implemented.

Until then, European companies must continue to ensure that standard data protection clauses (SCC) are agreed upon by the U.S. service providers before transferring personal data to the U.S., a transfer impact assessment is carried out, and additional measures are taken if necessary.

In this context, we would also like to point out once again that the old SCCs expired on December 27, 2022, and only new SCCs may be used.

Lawyer, Partner
Dr. Carlo Piltz
Lawyer, Partner
Dr. Carlo Piltz

Go back


German Federal IT security authority publishes guidelines for AI developers

The German Federal Office for Information Security (BSI) is already providing support with a whole series of statements on the subject of artificial intelligence (partly even in English).

It is therefore all the more gratifying that the BSI has in the meantime also addressed the question of how developers can practically protect machine learning systems from the most relevant threats and take adequate protective measures in a guideline.

The BSI distinguishes between three central threats in its guideline: Evasion attacks, attacks that aim to extract information, and backdoor attacks. These attacks will be briefly presented and illustrated in the following.

Whistleblower protection and the right of access on a collision course – challenges in the parallel application of whistleblower protection and Art. 15 GDPR

The enactment and applicability of the German implementation law (“German Whistleblower Protection Act”) for the Whistleblowing Directive (Directive (EU) 2019/1937) is in sight even though the law was not passed yet because the “Bundesrat” did not agree to the text adopted by the “Bundestag”. It might still take some time until the two parliaments agree on a final text. However, there is time pressure due to Germany already falling far behind the deadline for the implementation of the European Directive. This also means that the legal obligation to set up an internal reporting channel is getting closer for very many German companies (all with generally at least 250 employees).

NIS-2 Directive: New provisions to strengthen cyber resilience and security

The Directive on measures for a high common level of cybersecurity across the Union ("NIS-2 Directive") published in the Official Journal of the European Union on December 27, 2022, aims to harmonize cybersecurity requirements in the EU and imposes new cybersecurity obligations on companies. It will replace the previously applicable NIS Directive.