President Joe Biden has signed an Executive Order on the trans-Atlantic transfer of personal data to implement critical data privacy protections for individuals worldwide and provide companies with a new framework for transferring EU personal data to the US.
Why it’s important: EU-to-US data flows facilitate $7.3 trillion in economic relationships. The Executive Order implements a new EU-US Data Privacy Framework to replace the EU-US Privacy Shield Framework.
Driving the news: President Biden’s Executive Order outlines steps the US will take to implement the EU-US Data Privacy Framework that was announced in March 2022 by President Biden and European Commission President von der Leyen.
The Executive Order addresses key issues raised in the Schrems II decision related to U.S. surveillance authorities by:
- Restricting surveillance to activities necessary to achieve defined national security objectives.
- Requiring consideration of privacy and civil liberties of all persons, regardless of nationality or country of residence.
- Creating a multi-layered mechanism for individuals to obtain independent and binding review and redress for violations of U.S. legal protections, including those guaranteed by the Executive Order.
The Salesforce perspective: “We welcome the Executive Order on trans-Atlantic data transfers. It will increase privacy protections for individuals worldwide and strengthen trust in the continued validity of all EU cross-border data transfer mechanisms,” said Ed Britan, Head of Global Privacy, Salesforce. “With the EU-US Data Privacy Framework, the EU and the U.S. have demonstrated shared values in jointly setting a heightened privacy and data protection standard that global frameworks should now meet.”
The big picture: The Court of Justice of the European Union’s 2020 Schrems II decision invalidated the Privacy Shield Framework, causing uncertainty for many businesses about the legal threshold for transferring EU data across borders.
Salesforce uses multiple mechanisms to provide customers with cross-border transfer security:
- Binding Corporate Rules (BCRs) – Salesforce was the first enterprise software company to achieve approval for BCRs from European data protection authorities. BCRs reflect the highest data protection standards in the world and remain the gold standard for cross-border data transfer.
- Standard Contractual Clauses (SCCs) – In 2021, Salesforce released a data processing addendum (DPA), which includes the newest version of the standard contractual clauses and best-in-industry commitments around challenging government access requests and providing for customer audits.
- EU-US Data privacy Framework / Privacy Shield – Salesforce has remained certified under Privacy Shield and understands that the same commercial requirements and certification scheme will be used for the EU-US Data Privacy Framework. Salesforce will continue to meet and exceed the requirements of the EU-US Data Privacy Framework.
These efforts reflect Salesforce’s commitment to providing customers with the strongest protections available for addressing cross-border transfer requirements. In addition:
- In 2021, Salesforce announced the Hyperforce EU Operating Zone, allowing customers expanded data residency services for storing and processing data in the EU.
At Dreamforce ‘22, Salesforce announced external encryption key management, enabling customers to use EU encryption partners, based in the EU, for controlling access to their data.
Go deeper: Learn more about EU/U.S. cross-border data transfer mechanisms:
- Read Salesforce’s Data Processing Addendum
- Read Salesforce Binding Corporate Rules for Processors
- See Salesforce’s EU Personal Data Transfers datasheet
- Read Salesforce’s Principles for Government Requests for Customer Data
- Read Salesforce’s Transparency Report
For more on Salesforce and privacy, go here.