Stabilising transatlantic data flows: Examining the role of the new EU-US Data Privacy Framework
The Executive Order
On 7 October 2022, US President Joe Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the "Executive Order"). The Executive Order is a key part of the EU-US Data Privacy Framework (the "Framework"), which is intended to replace the Privacy Shield safeguard for EU GDPR personal data exports to the United States of America. Alongside the Executive Order, the Attorney General signed Department of Justice Regulations (Attorney General Order No. 5517-2022) (the “Regulations”) which are designed to complement the Framework in stabilising trans-Atlantic transfers.
The new Framework was announced in March by President Biden and European Commission President von der Leyen. It is the third attempt to reconcile European data protection law and US surveillance practices, after the European Court of Justice ("CJEU") invalidated the Safe Harbor arrangement in 2015 and struck down the European Commission's adequacy finding for the replacement EU-US Privacy Shield in 2020, in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems C-311/18 (known as "Schrems II").
The new Framework is designed to provide protection for EU personal data that is essentially equivalent to that which it receives in Europe and to address the issues with US law identified in Schrems II.
What does the Executive Order do?
Limits US signals intelligence activities
In a direct response to the CJEU's finding that the Privacy Shield lacked necessity and proportionality limits on U.S. surveillance programs, the Executive Order adds safeguards for US signals intelligence activities (“SIGINT”). SIGINT activities are those which involve collecting foreign intelligence from communications and information systems and providing it to customers across the U.S. government.
When announcing the Framework in March 2022, President von der Leyen said the development of the Framework would “enable predictable and trustworthy data flows, balancing security, the right to privacy and data protection”.
Some examples of the safeguards the Executive Order impose on SIGINT activities include a requirement that the SIGINT activities:
- are conducted in pursuit of legitimate defined national security objectives;
- take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and
- be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.
In addition, the Executive Order requires targeted collection of information through SIGNIT to be prioritised over bulk collection. Bulk collection is still permitted but should only be carried out where it is necessary for a validated intelligence objective and uses reasonable methods to limit the data collected.
Introduces a new redress mechanism
The Executive Order and Regulations establish a two-tier redress mechanism for data subjects. This new system provides for data subjects to lodge a complaint with the Civil Liberties Protection Officer (“CLPO”) at the Office of the Director of National Intelligence and, as a second step, later appeal any decision by the CLPO before a "Data Protection Review Court" ("DPRC"), an executive, independent judicial body composed of members from outside the US Government. The DPRC, established by the Regulations, will have powers to investigate complaints, obtain information from intelligence agencies, and issue binding judgments. This two-tier redress system is an upgrade from the old "Ombudsperson" system under the old Privacy Shield mechanism which was part of the US State Department and did not have similar investigatory or binding decision-making powers.
This new redress mechanism will only be available to data subjects in countries or territories designated as a “qualifying state” by the Attorney General. In a joint statement issued on behalf of the UK and US Governments on the same day as the signing of the Executive Order, the UK Secretary of State for Digital, Culture, Media and Sport (“DCMS”) and the US Secretary of Commerce confirmed that the US "intends to work to designate the UK as a qualifying state under the Executive Order, assuming the conditions for such designation can be satisfied". In order to become a “qualifying state”, certain factors need to be met. In particular, the designation of a territory as a qualifying state must “advance the national interests of the United States” and the territory in question must;
- have appropriate safeguards relating to the conduct of SIGINT activities concerning personal data of US citizens that has been transferred from the US to that territory; and
- permit or is anticipated to permit the transfer of personal information for commercial purposes between the US and the territory.
This reciprocal requirement for a territory to implement safeguards for US citizens’ data to benefit from the new redress mechanism is hoped to help advance global standards of redress for data protection breaches. However, it must be noted that not all data subjects will automatically access this redress mechanism established under the Executive Order and so for some territories concerns over redress will remain.
Introduces internal procedural requirements for handling personal data
The Executive Order and Regulations require the SIGINT community to ensure they implement policies and procedures to ensure data is appropriately protected from access by non-authorised persons. The data should only be accessed by those who need to know the information to perform their roles or determine the when the data should be deleted.
In addition to considering access safeguards, the Executive Order requires businesses in the SIGINT community to maintain internal processes setting out best practice in relation to data handling, retention and minimisation. By October 2023, these businesses must consult with the Attorney General, CLPO, and the Privacy and Civil Liberties Oversight Board (PCLOB) to ensure these policies and procedures are aligned with the Executive Order and, as far as possible release these policies to enhance public understanding of the SIGINT activities.
There are other requirements that are intended to improve overall governance and transparency standards within the SIGINT community, including mandatory designation of senior-level legal, oversight, and compliance officials; and maintenance of appropriate training for all employees.
Updates the Privacy Shield Commercial Principles
US recipients of personal data must be certified to the Framework, in the same way as under the Privacy Shield. The US Department of Commerce are currently updating the privacy principles that companies were required to adhere to under the old Privacy Shield and these updates are expected to include updates and safeguards reflecting key principles and obligations of the GDPR, plus potentially also recent case law and guidance in the EU. It is likely to be simple for those already registered for Privacy Shield to continue to participate.
Reaction to the Executive Order
The Executive Order and Regulations have been greeted as an important step towards stabilising trans-Atlantic data transfers. The Executive Order is the culmination of the EU and US working together to address the key concerns raised in Schrems II, which makes a new US adequacy decision by the European Commission far more likely.
For US Commerce Secretary, Gina Raimondo, the Executive Order demonstrates the “joint effort to restore trust and stability… provide a durable and reliable legal foundation and certainty for transatlantic data flows, and create greater economic opportunities for companies and citizens on both sides of the Atlantic”.
There have also been some positive reactions outside of the EU and US, with the Future of Privacy Forum’s CEO Jules Polonetsky commenting that the Framework “puts in place practical surveillance limitations, oversight, and individual redress that are unmatched almost anywhere else in the world in the context of national security”.
However, as predicted before the announcement of the Framework, not all responses have been positive. The Austrian lawyer and activist Max Schrems and his organisation None of Your Business (NOYB) indicated that a third challenge is likely, commenting “it will be back to the CJEU sooner or later”. NOYB will now analyse the package in detail focussing on ways in which the Framework lacks compliance with EU law and recent CJEU judgments.
Next steps
The European Commission must now issue an adequacy decision in respect of the Framework under Article 45 of the GDPR - a final decision in this regard is expected to be published in Spring 2023.
The UK will need to make an independent decision on whether the new Framework provides appropriate protections, and its own adequacy regulations in respect of data transfers to the US. The joint statement of the UK Secretary of State for DCMS and the US Secretary of Commerce confirmed plans for the UK to also review the Executive Order and to prepare for an adequacy decision for UK-US data flows in early 2023.
What should organisations do?
Although the Executive Order has immediate effect, until the commercial principles for certification are updated and an adequacy decision is reached by the EU and UK, companies should continue to rely upon alternative data transfer mechanisms (such as the European Commission’s Standard Contractual Clauses (“EU SCCs”), the UK’s International Data Transfer Agreements (“IDTA”) or Binding Corporate Rules (“BCRs”)) to ensure ongoing compliance.
In addition, companies should continue to comply with other applicable transfer obligations, including completing Transfer Impact Assessments before making transfers where they are not relying on an adequacy decision to make a transfer. Organisations should also reflect the changes to US law in any Transfer Impact Assessment for the US on which they are relying. In particular, businesses will need to address whether the recipient of the data is a certified business under the Framework and whether the affected data subjects reside in a “qualifying state” for the redress mechanism.
It is important to bear in mind that businesses implementing the new EU SCCs only have until 27 December 2022 to amend any existing contracts to incorporate those SCCs. This remains an important deadline that still needs to be met for US transfers regardless of the new Framework given that any adequacy decision will not be in place before that date. Please keep an eye out for our monthly bulletin and future blogs updating you on key developments.