On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (“EO”).
The EO lays ground for the long-awaited successor to the EU-U.S. Privacy Shield, which was invalidated two years ago by the Court of Justice of the European Union (“CJEU”). There are some critical hurdles that must be cleared before companies will be able to use the new Data Privacy Framework (“DPF”) for EU-U.S. personal datal transfers. A key question for companies will be whether to rely on the DPF, given one or more likely legal challenges likely to wind up before the CJEU – the same court that invalidated the Privacy Shield and before that, the Safe Harbor. While the EO embeds long sought-after safeguards for EU data subjects, the CJEU could conclude that the new safeguards are big on process, but, like the Privacy Shield, lack meaningful substance. Meanwhile, companies that maintained their Privacy Shield certification will want to watch for guidance on transitioning to the DPF, carefully consider the risks and benefits of doing so (including updating their certifications to comply with the DPF), or, to reduce the risk of disruption to their businesses, shift to standard contractual clauses (“SCCs”) to legitimize EU-U.S. data transfers, as SCCs are currently seen as less likely to fail.
Background
In July 2020 the CJEU invalidated the Privacy Shield framework in the Schrems II decision. The decision immediately halted the ability of the over 5000 certified companies to use the Privacy Shield for EU-U.S. data transfers yet, confusingly, required certified companies to adhere to the Privacy Shield’s requirements for personal data already transferred thereunder. The subsequent release of new SCCs by the European Commission resulted in significantly more complex, costly, and burdensome compliance obligations which, in turn, effectively erected a barrier to entry to the EU market for many companies. Since then, EU and U.S. officials have been at the table forging a revamped data transfer framework that they hope can survive the inevitable legal challenge.
What’s new?
The DPF actually consists of three elements: (1) the commercial principles to which U.S. organizations can self-certify, much like they did under the Privacy Shield; (2) the EO, which imposes limits on the U.S. intelligence community’s collection and use of personal data transferred to the U.S. from the EU; and (3) Department of Justice (“DOJ”) regulations to be issued that will create a new redress infrastructure and process for covered complaints.
The DPF will also update the principles underpinning the Privacy Shield which will be named the “EU-U.S. Data Privacy Framework Principles.”
The DPF difference
The aim of the negotiators was to address head on the concerns that the CJEU found fatal in Schrems II and inoculate the DPF against a similar fate.
The CJEU cited: (1) a lack of necessity and proportionality limits on U.S. surveillance, and (2) insufficient redress rights to challenge unlawful surveillance. The EO seeks to address concern (1) by explicitly incorporating the European concept of “necessary” and “proportionate” data collection and use:
(A) signals intelligence activities shall be conducted only following a determination, based on a reasonable assessment of all relevant factors, that the activities are necessary to advance a validated intelligence priority…
(B) signals intelligence activities shall be conducted only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized…1
(Emphasis added).
NOYB (the Max Schrems-fronted privacy rights group), has already condemned the EO, claiming that merely invoking the term “proportionality” without more will not suffice, particularly if it lacks the same meaning it has under applicable EU law. NOYB points to the continued permitted use of “bulk surveillance” as an example of U.S. surveillance being disproportionate.
Nonetheless, the EO identifies permissible and non-permissible objectives for signals intelligence collection activities, as well as defining rules around the handling of collected personal information. Intelligence agencies’ policies and procedures are to be updated accordingly. There is also a process for oversight with a view to ensuring that the principles set out in the EO are complied with.
In an apparent attempt to meaningfully distinguish the DPF from the Privacy Shield, the negotiators sought to address concern (2) by specifically replacing the Privacy Shield “Ombudsman” with an independent Data Protection Review Court (“DPRC”). The DPRC is yet to be established through the DOJ regulations. The CJEU’s primary concern with the Ombudsman was the lack of independence and power to bind intelligence authorities. On its face, the EO attempts to address this concern by requiring U.S. intelligence agencies to cooperate with the CLPO’s investigation and comply with any remedy prescribed by the CLPO or the DPRC. The CLPO and DPRC judges are protected from removal for exercising their authority under the DPF.
A claim must first go to the Director of National Intelligence’s Civil Liberties Protection Officer (“CLPO”). However, a claim cannot be made by an individual directly; the EO requires a claim to be raised by an appropriate public authority in a “qualifying state” (to be designated by the Attorney General based on certain criteria). Once the CLPO’s investigation is complete, a complainant can apply for review of the decision to the DPRC. However, the CLPO will only inform the complainant that there was either no violation or that it was remedied. Critics will contend, and the CJEU may conclude, that this does not go far enough -- even though this practice is similar to processes in most EU member states when classified information is at issue.2
What happens now?
The European Commission just announced that it will prepare a draft adequacy decision for data transfers under the DPF and launch the adoption process for the DPF. Barring unforeseen developments, this could take up to six months. Companies engaging in EU-U.S. personal data transfers should therefore continue to utilize alternative transfer mechanisms, such as SCCs. The SCCs should be supported by Transfer Impact Assessments (“TIAs”) where required. Given the immediate impacts of the EO on U.S. intelligence agencies, the conduct of TIAs may become less burdensome. Companies may wish to review their current TIAs and consider adopting any updates to account for the EO.
Companies that have maintained their Privacy Shield certification can expect guidance regarding these certifications and the transition to the DPF in due course.
A final note: The UK follows suit
The UK government also on October 7, 2022, announced progress toward a new UK-U.S. data transfer adequacy agreement which is expected “in the coming weeks”.
Conclusion
Even if the DPF adoption and adequacy determination processes go smoothly companies may wish to adopt a “wait and see” approach while the inevitable legal challenge to the DPF plays out.
Footnotes
1) Section 2(a)(ii) of the EO
2) Practice in EU member states is analyzed in detail in a paper by the European Union Agency For Fundamental Rights entitled “Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU” published in 2017. The paper is available at https://fra.europa.eu/sites/default/files/fra_uploads/fra-2017-surveillance-intelligence-services-vol-2_en.pdf
