14.10.2022 | KPMG Law Insights

Doubts about U.S. President Biden’s executive order on data protection

Is a new data protection agreement with the USA on the way? If so, does it stay?

After the EU and the U.S. announced an “agreement in principle” on new rules for transatlantic data sharing on March 25, 2022, U.S. President Joe Biden signed the Executive Order establishing the “EU-U.S. Data Privacy Framework” (EU-U.S. DPF for short) announced therein on October 07, 2022. This legal act could form the basis for a new adequacy decision by the EU Commission, thus restoring the long-awaited legal certainty for the transfer of personal data between Europe and the US. But the reactions to this have been mixed. While U.S. industry associations, government agencies, and the EU Commission welcome the announced measures, European data privacy advocates have significant doubts that the Executive Order is sufficient to address the discrepancies identified in the ECJ’s Schrems II ruling between the powers of U.S. security agencies and the EU Charter of Fundamental Rights (CFR). Who is right now?

The most important thing in advance:

  • U.S. President Joe Biden signed an executive order on Oct. 7, 2022, to comply with EU data privacy requirements.
  • There are doubts as to whether the adopted measures meet the requirements of EU law and the ECJ.
  • The Executive Order could provide the basis for a new adequacy decision, which could be adopted as early as March 2023.
  • The issuance of the Executive Order does not change the current legal situation. For the time being, companies should conclude standard contractual clauses and prepare transfer impact assessments to safeguard data transfers to the USA.

Essential contents

The main criticisms of the U.S. legal situation cited by the ECJ in its Schrems II ruling were, in particular, that the surveillance measures carried out by the U.S. were not proportionate within the meaning of Article 52 CFR and that, contrary to Article 47 CFR, no judicial remedy was available to those affected. The Executive Order explicitly addresses this criticism.

1. introduction of a proportionality test

Sec. 2 of the Executive Order provides that intelligence activities may only be used to achieve predefined legitimate objectives. Furthermore, in the future, surveillance measures must be “necessary” and “proportionate” in terms of the intrusion into the privacy and freedoms of those affected in order to achieve the legitimate objectives – regardless of whether they are U.S. citizens or not.

Thus, the Executive Order approximates, at least in its wording, the requirements for fundamental rights interferences in Art. 52 CFR. What is more decisive, however, is how the concepts of “necessity” and “proportionality” are interpreted in the respective legal system. It is already clear from the Executive Order itself that the thresholds of necessity and proportionality are noticeably lower according to American understanding. While the Executive Order explicitly continues to allow for bulk surveillance measures (“bulk surveillance”), such as Upstream and PRISM (Sec. 2. (c) (ii)), the ECJ again declared the German regulations on data retention to be contrary to European law in its judgment of 20.09.22 (C-793/19 and C-794/19). It therefore seems questionable whether the U.S. understanding of proportionality will stand up to scrutiny by the ECJ.

2. two-stage appeal & Data Protection Review Court

The Executive Order provides for a two-step appeal process under which EU data subjects can also file complaints against surveillance measures. In the first stage, these are reviewed by the Civil Liberties Protection Officer (CLPO), who reports to the Director of National Intelligence and thus to a U.S. agency. The latter will decide in a secret procedure whether an infringement has occurred. The data subject is merely informed that either no violation occurred or that remedial action has been ordered in a legally binding manner (“the review either did not identify any covered violations or the [CLPO] issued a determination requiring appropriate remediation“).

Decisions of the CLPO may be reviewed by the newly formed Data Protection Review Court (DPRC) at the request of the data subject or a supervisory authority in the second stage. Members of this panel must be composed of knowledgeable legal practitioners who are not employed by a U.S. government agency at the time of their appointment. As in the proceedings before the CLPO, decisions are made in secret and affected parties receive only general information about the outcome of the proceedings.

It is true that the decision-making body is referred to as the “Court” and thus in German as “Gericht”. However, there are considerable doubts as to whether the DPRC actually meets the requirements of an independent and impartial court within the meaning of Article 47 CFR. According to the wording of sec. 3 (d) (i) of the Executive Order, members of the DPRC may not hold any office within the U.S. Government during their term of office – other than serving as a judge of the DPRC. This indicates a subordination of the DPRC to the executive branch instead of the judiciary. In addition, the DPRC itself appoints the litigation representative of the affected party.

Nor does the Executive Order contain any statement that affected persons must be informed of surveillance measures that have been carried out. This seriously calls into question the “effectiveness” of the remedy provided.

Next steps

The European Commission has signaled that it expects an adequacy decision on the EU-U.S. DPF, to be finalized under the Executive Order, to withstand judicial review by the ECJ. Accordingly, it has initiated the procedure for the adoption of an adequacy decision pursuant to Article 45 GDPR. Before a decision is taken, the European Data Protection Committee (EDSA) and the European member states must be consulted. It would be up to the member states alone to reject the decision, which seems unlikely. A decision on the resolution is expected in March 2023.

What does this mean for companies?

The Executive Order has no immediate effect on European companies. For the transfer of personal data, the transfer mechanisms available to date must still be used. Foremost among these are the new standard contractual clauses published by the EU Commission on June 04, 2021. Existing standard contractual clauses still based on the old models must be converted to the new models, which also require a transfer impact assessment in the case of the U.S., by December 27, 2022 (we reported here). If the Commission were to adopt a new adequacy decision based on the Executive Order, personal data could be transferred to the U.S. based on that decision without any further requirements. However, companies should not rely on this. There are reasonable doubts about the adequacy of the newly adopted U.S. government measures in light of the requirements of the CFR and the ECJ. These do not rule out the possibility that the EU-U.S. DPF will also be declared invalid shortly after it enters into force. Privacy activist Max Schrems has already indicated he will oppose a new adequacy decision if it is adopted based on this Executive Order. It therefore remains advisable to agree standard contractual clauses.

Explore #more

13.06.2024 | Press releases

Handelsblatt and Best Lawyers honor KPMG Law Experts

Best Lawyers has once again identified the best commercial lawyers in Germany for 2024 exclusively for Handelsblatt. A total of 28 lawyers were honored by…

27.05.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

22.05.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.