The EO paves the way for the European Commission to launch an adequacy process for companies participating in the EU-U.S. DPF. Beyond issuing the EO, several additional steps must take place before a formal adequacy framework will again be in place between the United States and the European Union. These steps include the European Commission issuing a formal adequacy decision, as well as a review of the determination and issuance of an opinion by the European Data Protection Board. Finally, the European Member States must approve the framework, followed by formal adoption. The European Commission has already voiced support for the new EU-U.S. DPF, stating that these are significant improvements, compared to the mechanism that existed under the Privacy Shield.
What does the Executive Order mean for Workday customers?
True to our core value of customer service, Workday takes privacy and security very seriously, and maintains appropriate safeguards to protect the data of our customers. Following the Schrems II case, we provided our customers with a robust transfer impact assessment (TIA) whitepaper to help them assess the risk of transferring EU personal data to the United States in the context of an enterprise human capital management (HCM) and financial management system. Based on many factors, including the type of data, history of government requests to Workday, and other similar companies, as well as government statements, we concluded the risk was low.
Workday will immediately update our existing TIAs to reflect this change in U.S. law, and will continue to use our TIA to support transfers using legal mechanisms that Workday already employs, such as Binding Corporate Rules for Processors (BCRs) and Standard Contractual Clauses (SCCs). In addition, Workday has maintained our certification to the Privacy Shield framework. As the legal challenge to the Privacy Shield was not based on commercial data practices, but national security issues, we expect the process to use the new EU-U.S. DPF, as a legal data transfer mechanism will be near seamless once the new adequacy decision is finalized, which will likely be in the spring of next year.
The seamless transfer of data between the U.S. and EU is foundational to transatlantic trade and investment in today’s digital economy, with more data moving between the United States and Europe than anywhere else in the world. It’s important that policymakers, in partnership with businesses and other stakeholders, come together to develop and implement lasting frameworks that enable data transfers and protect privacy. In the days and months that followed the Schrems II decision, Workday engaged heavily with both the Biden Administration and their counterparts in the European Commission to help chart a path forward for a successor data transfer framework. We strongly support President Biden’s EO implementing the commitments under the EU-U.S. Data Privacy Framework and look forward to working with partners in the EU in support of a new adequacy finding.
Be sure to keep an eye out for the updated TIA coming soon, which we will post in the Workday Community.