Workday applauds the approval of the new EU-US Data Privacy Framework (DPF), which provides companies with greater confidence in legally transferring European personal data to the United States. Workday is a strong advocate for government-to-government agreements that facilitate cross-border data flows. Furthermore, we appreciate the years-long effort by the United States and the European Commission to ensure the continued safe flow of data across the Atlantic. With the U.S. government’s commitments under the DPF now fulfilled, and the European Commission’s adequacy decision finalized, policymakers on both sides of the Atlantic have agreed to new safeguards to address the Court of Justice of the European Union’s (CJEU) concerns in the “Schrems II” decision of July 2020.
To help our customers understand what this means for them, I’d like to address some common questions about the newly approved DPF.
What’s happened since the Executive Order was released?
As a refresher, the primary issues set out in the CJEU’s Schrems II decision were tied to U.S. government access activities. Over the past year, the U.S. government made meaningful changes to how the U.S. intelligence community can access European personal data and put in place structures to provide non-U.S. individuals with rights of redress if they believe their data was accessed inappropriately. The Department of Justice and the Office of the Director of National Intelligence implemented these commitments as outlined under President Biden’s Executive Order on transatlantic data transfers. Specifically, U.S. intelligence agencies adopted the new policies and procedures, the Attorney General formally designated the European Economic Area as a “qualifying state” that may access the DPF’s redress mechanism, and a new511 Data Protection Review Court was established. Read below if you’d like to learn more about Workday’s perspective on this executive order.
How does the DPF impact Workday customers?
The adequacy decision provides our customers with greater certainty that European personal data can legally be transferred to the United States. Since 2020, Workday has successfully supported our customers using other data transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules for Processors. During this time, we also provided a thorough Transfer Impact Assessment datasheet to help customers assess the risk of any transfer. We’ll continue to offer these legal data transfer mechanisms, and we are updating our Transfer Impact Assessment datasheet to reflect the recent changes in the U.S. legal system. Even for companies that don’t rely on the new DPF as a data transfer mechanism, the new U.S. government safeguards apply to all personal data transfers under the General Data Protection Regulation to companies in the U.S., including those using Standard Contractual Clauses and Binding Corporate Rules.
In addition, we maintained our certification to the Privacy Shield Framework, which will enable us to quickly transition to the DPF. We also commit to continuing transparency about law enforcement requests for access to data, and publishing regular updates to our transparency report.
Will there be a Schrems III?
As we saw with the Safe Harbor Framework and the Privacy Shield Framework, we’re likely to see the DPF challenged in the European courts. Based on the unprecedented changes the U.S. government implemented to strengthen safeguards for government access to European personal data and provide non-U.S. individuals with redress rights, Workday believes the DPF succeeds in both governments’ shared goal of securing a durable and reliable legal basis for transatlantic data flows.
Here at Workday, we eagerly welcome the much-awaited Executive Order (EO) on transatlantic data transfers, which was issued by President Joe Biden on October 7. The EO seeks to implement the agreement between the European Union and the United States to address government access issues that were at the heart of the Schrems II case, which invalidated the Privacy Shield as a data transfer mechanism. The seamless transfer of data between the United States and European Union plays a vital role in driving the digital economy, and enabling multinational companies to effectively manage their global workforces.
The new EO is a positive step forward in continuing the free flow of personal data from the European Union, including employee data, to the United States. However, there’s a lot of information to digest, so I’d like to provide some clarity on exactly what it means, and how it will affect our customers going forward.
What is the significance of the EO?
Several months ago, President Biden and the European Commission President Ursula von der Leyen announced a political agreement known as the EU-U.S. Data Privacy Framework (DPF), which is intended to bolster the free flow of EU personal data to the United States. The newly released EO formalizes the U.S. commitments to that agreement by providing a process for EU citizens to make formal complaints if they believe their personal data was unlawfully collected by the U.S. government for purposes of national security. It also implements safeguards to ensure that U.S. intelligence activities are necessary and proportionate as they seek to achieve their security objectives.