EU & US - The new EU-US Data Privacy Framework is finally here, or is it?
It’s been a long wait since March 2022 when the European Commission and the United States first announced an agreement in principle on the new EU-US Data Privacy Framework to facilitate transatlantic data flows (read more here).
With the December 2022 deadline to sign the new standard contractual clauses fast approaching companies have been putting those new clauses in place and conducting complex and time-consuming transfer impact assessments (“TIAs”) in an effort to justify transfers to third countries like the US.
This all follows the Court of Justice of the European Union’s (“CJEU”) decision in Schrems II over two years ago that the old privacy framework, the EU-US Privacy Shield, did not provide a valid justification for transfers of personal data to the US. Since then, the legal landscape has been plagued with uncertainty, higher privacy compliance costs, and difficult decisions about which service providers to use.
In an historic step, giving EU and US businesses a glimmer of hope for a more straightforward and robust alternative for transfers to the US, President Biden signed the Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities on October 7, 2022 (the “Order”). The Order outlines the implementation steps the US government will undertake in furtherance of the EU-US Data Privacy Framework (DPF) – the first step in the pact between the EU and the US to rebuild trust and ease cross-border commerce.
The Executive Order in a nutshell
The Executive Order is a prerequisite for the new DPF. The CJEU’s decision in Schrems II made it clear that the problem with the old Privacy Shield was not the Privacy Shield Principles per se, but rather the ability of the US law enforcement and intelligence agencies to access personal data outside the scope of those Principles. Addressing those concerns requires changes to US law.
The US has chosen to make those changes through an executive order. This carries the force of law with respect to the executive branch, which includes law enforcement and intelligence agencies.
Greater safeguards for all individuals
To respond to the concerns raised by the CJEU, particularly the level of privacy protections in the US and the lack of redress available to non-US nationals in the event that their right to privacy is violated, the Order provides for a host of additional safeguards. It also responds to criticisms regarding bulk collection under Executive Order 12333 on US intelligence activities and replaces aspects of Presidential Policy Directive 28 (PPD-28) on signals intelligence activities to give them the force of law. While the Order should be read alongside FISA Section 702, which regulates foreign physical and electronic surveillance, and other US national security regulations, it is limited to signals intelligence collection activities.
In particular, the Order:
- Adds more privacy and civil liberties safeguards for US signals intelligence activities. The Order requires that signal intelligence activities be necessary and proportionate and only for the purpose of 12 specific legitimate national security and/or intelligence objectives.
- These legitimate objectives include assessing the capabilities of a foreign government, military, political organization, or its agent to protect the national security of the US or its allies, assessing transnational threats to global security, combatting terrorism and hostage crises, and protecting against espionage and cybersecurity threats. Alongside these core national security purposes are those addressing more modern concerns such as transnational threats arising from climate and other ecological change.
- Notably, the order makes it clear that some purposes are not legitimate and so are prohibited. These include suppressing free expression, criticism, privacy interests, or one’s right to legal counsel, or disadvantaging a person based on their ethnicity, race, gender/gender identity, sexual orientation or religion. Importantly, collecting private commercial information or trade secrets is also not a legitimate objective and is prohibited.
- Allows bulk collection of signals intelligence but limits its scope. The Order allows bulk collection but only for a narrower subset of legitimate national security and/or intelligence objectives (e.g., this does not include transnational ecological issues). The Order also requires that targeted collection be prioritized whenever possible.
- Considers the privacy and civil liberties of all persons. The scope of the Order is not limited to just US nationals for purposes of safeguards and redress.
- Establishes additional oversight and independent review mechanisms to provide EU individuals with limited redress. This will allow EU individuals to make claims that their personal data was collected through US signals intelligence activities in violation of US law, including violations of the US Constitution, certain sections of FISA and any applicable procedures approved by the Foreign Intelligence Surveillance Court (FISC), Executive Order 12333 and related agency procedures and the Order.
This redress mechanism includes establishing:
- a Civil Liberties Protection Officer (“CLPO”) in the Office of the Director of National Intelligence to review claims and conduct initial investigations; and
- a Data Protection Review Court (“DPRC”) to review initial decisions by the CLPO. The DPRC will be staffed by judges appointed by the Attorney General in consultation with the Department of Commerce and the Privacy and Civil Liberties Oversight Board (“PCLOB”). There are various measure to ensure the DPRC’s independence including the fact that the members of the Court will not be subject to supervision by the US Attorney General and will be protected from dismissal.
In particular, the Order creates an entitlement for individuals to submit qualifying complaints to the CLPO and seek review by the DPRC pursuant to this redress mechanism. The outcome of the redress mechanism will, however, be limited. The individuals will simply be given a standardized notice that the review has been completed and either: (a) did not identify a violation; or (b) the DPRC found a violation and issued a determination requiring it to be remediated. Given this involves sensitive national security matters, the individuals will not be given wider details nor even informed if their personal data was actually collected as part of the relevant signal’s activity.
- Imposes data processing requirements. The Order mandates that personal data collected via signals intelligence activities be properly processed; and it enhances the legal, oversight and compliance functions to remediate non-compliance.
- Directs US intelligence agencies to update their policies and procedures. This must be done to comply with the Order’s safeguards.
- Requires review of US intelligence agency policies and procedures. This will be done by the PCLOB to verify compliance with the Order, as well as annual reviews of the redress process.
- Imposes limitations on the retention of personal data. This applies to data collected via signals intelligence activities.
In connection with the Order being issued, the US Attorney General also issued its own regulations to establish the DPRC (see the DOJ press release and Final Rule).
Limited scope of the Order
The Order applies alongside other existing US laws and regulations, including FISA Section 702, Executive Order 12333 and the now curtailed Presidential Policy Directive 28 (PPD-28). A national security memorandum issued concurrently with the Order revoked certain sections of PPD-28, previously issued by the Obama Administration in 2014 to provide guiding principles for signals intelligence activities. Still intact are PPD-28’s sections on the principles governing the collection of signal intelligence and its general provisions. While PPD-28 is binding on the Executive Branch, including intelligence agencies, it is not judicially enforceable.
To be clear, signals intelligence collection must comply with the Order, but the Order does not otherwise limit the signals intelligence collection techniques authorized under other US national security laws, including the National Security Act of 1978 as amended, FISA as amended, Executive Order 12333, and PPD-28. Importantly, the Order does not alter the rules applicable to US persons adopted under these regulations.
The Order also does not authorize classified national security information to be disclosed or declassified unless authorized pursuant to another regulation or executive order. Furthermore, the Order does not create any other rights (other than the entitlement for redress for qualified complaints).
The intent of the Order is to offer a basis for the European Commission to adopt a new adequacy determination with respect to the US.
What this means for EU-US data flows
Given that transatlantic data flows support an economic relationship of roughly US$7.1 trillion and data transfers specifically underpin more than US$1 trillion in cross-border business between the EU and the US, it’s no wonder both sides of the Atlantic are keenly focused on reaching a resolution as soon as possible. The various hurdles and overall uncertainty underpinning current data transfers have stifled cross-border commerce as businesses have had to scramble to carry out TIAs or find new vendors, often opting to rely on ‘onshore’ vendors in the EU or in jurisdictions already benefiting from an adequacy decision.
Against this backdrop, the release of the Order is an important step towards the recognition of a new transatlantic solution to the EU-US data transfers that are core for businesses on both sides of the ocean. After years of uncertainty for companies with business across the two continents, the possibility of transferring personal data safely and clearly in compliance with the GDPR could soon become a reality. The Order is a first step on that road.
What next?
In terms of immediate next steps, the European Commission will review the Order to ensure it adequately addresses the gaps identified by the CJEU and will issue a detailed draft decision.
The European Commission will then need to seek a legal opinion from the European Data Protection Board, and the decision will also be subject to scrutiny by the European Parliament. Finally, the issue will be subject to a vote and approval by a committee composed of representatives of the EU Member States. This legal process can finally commence now that President Biden has issued the Order.
Taken together, these steps will take considerable time, possibly upwards of six months. It’s theoretically possible that this new privacy framework could be blocked at any stage, though given the high-level endorsement by President Ursula von de Leyen, and the heightened national security threat following the invasion of Ukraine, it seems likely that there will be a greater desire to now build strong links between the EU and the US.
There’s also the question of what happens to membership of the old EU-US Privacy Shield – while the site announced that the Trans-Atlantic Data Privacy Framework was agreed in principle in March 2022, there have been no further updates about what the Order means for existing Privacy Shield members and what’s to come. It is hoped that the members of the old Privacy Shield can simply ‘grandfather’ their membership to the new DPF, but this has not been confirmed.
Similarly, the position for UK-US transfers is still unclear, though there have been suggestions that the UK will want to use this Order to make a swift adequacy finding, possibly before the process in the EU has completed, to help demonstrate the benefits of Brexit.
Schrems III?
The collective hope is that the proposed text from the Order will be sufficiently robust and in line with CJEU requirements so that the framework can be relied on in the long term and resist any further challenge by that court. However, noyb, the digital rights organization co-founded by Max Schrems, has already issued a press release suggesting that the Order does not satisfy the requirements of Schrems II and it will likely bring another challenge.
At a minimum, this has certainly attracted a lot of fanfare and the Presidents of the US and the EU Commission seem keenly committed to the deal. That should help expedite the legal process ahead, but even with fair political winds, it may prove a long and winding road and it seems quite unlikely it will be completed by the end of the year, being the deadline to repaper any old SCCs with the new SCCs. In other words, while this is a welcome development, businesses with transatlantic links likely need to continue signing the new SCCs and conducting those thorny TIAs.