What the New Trans-Atlantic Executive Order Means for Cross-Border Data Transfers

The seamless transfer of data between the United States and European Union plays a vital role in driving the digital economy and enabling multinational companies to effectively manage their global workforces. Workday Chief Privacy Officer Barbara Cosgrove shares an update on what the new EU-US Data Privacy Framework means for Workday customers, and for the future.

July 2023

Workday applauds the approval of the new EU-US Data Privacy Framework (DPF), which provides companies with greater confidence in legally transferring European personal data to the United States.  Workday is a strong advocate for government-to-government agreements that facilitate cross-border data flows. Furthermore, we appreciate the years-long effort by the United States and the European Commission to ensure the continued safe flow of data across the Atlantic. With the U.S. government’s commitments under the DPF now fulfilled, and the European Commission’s adequacy decision finalized, policymakers on both sides of the Atlantic have agreed to new safeguards to address the Court of Justice of the European Union’s (CJEU) concerns in the “Schrems II” decision of July 2020.  

To help our customers understand what this means for them, I’d like to address some common questions about the newly approved DPF.

What’s happened since the Executive Order was released?

As a refresher, the primary issues set out in the CJEU’s Schrems II decision were tied to U.S. government access activities. Over the past year, the U.S. government made meaningful changes to how the U.S. intelligence community can access European personal data and put in place structures to provide non-U.S. individuals with rights of redress if they believe their data was accessed inappropriately. The Department of Justice and the Office of the Director of National Intelligence implemented these commitments as outlined under President Biden’s Executive Order on transatlantic data transfers. Specifically, U.S. intelligence agencies adopted the new policies and procedures, the Attorney General formally designated the European Economic Area as a “qualifying state” that may access the DPF’s redress mechanism, and a new511 Data Protection Review Court was established. Read below if you’d like to learn more about Workday’s perspective on this executive order. 

How does the DPF impact Workday customers?

The adequacy decision provides our customers with greater certainty that European personal data can legally be transferred to the United  States. Since 2020, Workday has successfully supported our customers using other data transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules for Processors. During this time, we also provided a thorough Transfer Impact Assessment datasheet to help customers assess the risk of any transfer. We’ll continue to offer these legal data transfer mechanisms, and we are updating our Transfer Impact Assessment datasheet to reflect the recent changes in the U.S. legal system. Even for companies that don’t rely on the new DPF as a data transfer mechanism, the new U.S. government safeguards apply to all personal data transfers under the General Data Protection Regulation to companies in the U.S., including those using Standard Contractual Clauses and Binding Corporate Rules.

In addition, we maintained our certification to the Privacy Shield Framework, which will enable us to quickly transition to the DPF. We also commit to continuing transparency about law enforcement requests for access to data, and publishing regular updates to our transparency report.

Will there be a Schrems III?

As we saw with the Safe Harbor Framework and the Privacy Shield Framework, we’re likely to see the  DPF challenged in the European courts. Based on the unprecedented changes the U.S. government implemented to strengthen safeguards for government access to European personal data and provide non-U.S. individuals with redress rights, Workday believes the DPF succeeds in both governments’ shared goal of securing a durable and reliable legal basis for transatlantic data flows.  

October 2022

Here at Workday, we eagerly welcome the much-awaited Executive Order (EO) on transatlantic data transfers, which was issued by President Joe Biden on October 7. The EO seeks to implement the agreement between the European Union and the United States to address government access issues that were at the heart of the Schrems II case, which invalidated the Privacy Shield as a data transfer mechanism. The seamless transfer of data between the United States and European Union plays a vital role in driving the digital economy, and enabling multinational companies to effectively manage their global workforces. 

The new EO is a positive step forward in continuing the free flow of personal data from the European Union, including employee data, to the United States. However, there’s a lot of information to digest, so I’d like to provide some clarity on exactly what it means, and how it will affect our customers going forward. 

What is the significance of the EO?

Several months ago, President Biden and the European Commission President Ursula von der Leyen announced a political agreement known as the EU-U.S. Data Privacy Framework (DPF), which is intended to bolster the free flow of EU personal data to the United States. The newly released EO formalizes the U.S. commitments to that agreement by providing a process for EU citizens to make formal complaints if they believe their personal data was unlawfully collected by the U.S. government for purposes of national security. It also implements safeguards to ensure that U.S. intelligence activities are necessary and proportionate as they seek to achieve their security objectives.

The seamless transfer of data between the United States and the European Union plays a vital role in driving the digital economy, and enabling multinational companies to effectively manage their global workforces.

The EO paves the way for the European Commission to launch an adequacy process for companies participating in the EU-U.S. DPF. Beyond issuing the EO, several additional steps must take place before a formal adequacy framework will again be in place between the United States and the European Union. These steps include the European Commission issuing a formal adequacy decision, as well as a review of the determination and issuance of an opinion by the European Data Protection Board. Finally, the European Member States must approve the framework, followed by formal adoption. The European Commission has already voiced support for the new EU-U.S. DPF, stating that these are significant improvements, compared to the mechanism that existed under the Privacy Shield.

What does the Executive Order mean for Workday customers? 

True to our core value of customer service, Workday takes privacy and security very seriously, and maintains appropriate safeguards to protect the data of our customers. Following the Schrems II case, we provided our customers with a robust transfer impact assessment (TIA) whitepaper to help them assess the risk of transferring EU personal data to the United States in the context of an enterprise human capital management (HCM) and financial management system. Based on many factors, including the type of data, history of government requests to Workday, and other similar companies, as well as government statements, we concluded the risk was low.

Workday will immediately update our existing TIAs to reflect this change in U.S. law, and will continue to use our TIA to support transfers using legal mechanisms that Workday already employs, such as Binding Corporate Rules for Processors (BCRs) and Standard Contractual Clauses (SCCs). In addition, Workday has maintained our certification to the Privacy Shield framework. As the legal challenge to the Privacy Shield was not based on commercial data practices, but national security issues, we expect the process to use the new EU-U.S. DPF, as a legal data transfer mechanism will be near seamless once the new adequacy decision is finalized, which will likely be in the spring of next year. 

What’s next?

The seamless transfer of data between the U.S. and EU is foundational to transatlantic trade and investment in today’s digital economy, with more data moving between the United States and Europe than anywhere else in the world. It’s important that policymakers, in partnership with businesses and other stakeholders, come together to develop and implement lasting frameworks that enable data transfers and protect privacy. In the days and months that followed the Schrems II decision, Workday engaged heavily with both the Biden Administration and their counterparts in the European Commission to help chart a path forward for a successor data transfer framework. We strongly support President Biden’s EO implementing the commitments under the EU-U.S.Data Privacy Framework and look forward to working with partners in the EU in support of a new adequacy finding. 

Be sure to keep an eye out for the updated TIA coming soon, which we will post in the Workday Community

This blog was originally published on October 2022.

More Reading