A new EU-US data privacy framework?

On 7 October 2022, the President of the United States, Joe Biden, signed an Executive Order implementing the EU-US Data Privacy Framework replacing the Privacy Shield, which was left invalid after the July 2020 Schrems II decision of the EU Court of Justice (ECJ) due to its lack of adequate protection. As stated by US Secretary of Commerce, Gina Raimondo, “the EU-US Data Privacy Framework includes robust commitments strengthening the safeguards for US signals intelligence activities, which will ensure the privacy of EU personal data. These commitments will cover personal data transfers to the United States under EU law, including those using Standard Contractual Clauses, Binding Corporate Rules, or a future adequacy decision for the EU-US Data Protection Framework.”

Aiming to comply with EU law under the Schrems II ruling, the Executive Order particularly focuses on the issues found by the ECJ by implementing:

Limitations of signals intelligence activities to those which are proportionate and necessary

US signals intelligence (SIGINT) activities are only allowed in pursuit of defined national security objectives (e.g. the protection against threats to the personnel of the United States or of its allies or partners). Explicitly not covered are so called prohibited objectives such as suppressing or burdening criticism, dissent, or the free expression of ideas or political opinions by individuals or the press. In addition, US SIGINT activities are to be conducted while taking privacy and civil liberties of all persons (regardless of nationality or country of residence) into consideration.

A two-layered mechanism for oversight and redress

First, impacted individuals, including EU citizens and those residing in the EU, have a right to complain about the violation of United States law (including the Executive Order) that have taken place in the conduct of US SIGINT activities and affected the complainant’s individual privacy and civil liberties interests. All complaints are to be transmitted to the Civil Liberties Protection Officer by the appropriate public authority in a qualifying state.

The second layer is a review of the previous independent decision by a newly established Data Protection Review Court, that can be sought by the complainant or an element of the US Intelligence Community, which forms the group of US government intelligence agencies and subordinate organizations. The Data Protection Review Court will be established within the US Department of Justice consisting of six or more judges appointed by the Attorney General and chosen from outside the US Government to provide an independent and impartial review. Its decisions, made in three-judge panels, will be final and binding. The panel will interpret the Executive Order exclusively according to US law and legal traditions and, more generally, will be guided by decisions of the US Supreme Court. A special advocate will be selected by the Court to support complainant’s interest in the matter.

Further changes to follow as a result of the Executive Order are (i) the extension of the responsibilities of legal, oversight, and compliance officials, (ii) the requirement for the Intelligence Community to update their policies and procedures, and (iii) the obligation of the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures to ensure that the policies are consistent with the Executive Order (including regularly annual reviews).

What will this mean for the future of EU-US data transfers?

The EU-US Data Privacy Framework has been submitted to the European Commission, who is now responsible for proposing a draft adequacy decision and initiating the adoption process, which consists of multiple steps: (i) Obtaining an opinion from the European Data Protection Board (EDPB) and (ii) the green light from a committee composed of representatives of the EU Member States; (iii) in addition, the European Parliament has a right of scrutiny over adequacy decisions. The process is expected to take between four to six months, so that a final pact is likely to be adopted by March 2023.

Once a final adequacy decision is adopted, data will be able to flow freely and safely between EU and US companies certified by the US Department of Commerce. US companies will be able to join the framework by committing to comply with a detailed set of privacy obligations. Those companies that have continued to adhere to the Privacy Shield Principles will be contacted and supported by the US Department of Commerce in order to facilitate the transition.

Nevertheless, it is to be kept in mind that even though the adoption of the adequacy decision is likely, there have already been data protection agencies expressing to want to initiate a jurisdictional control of the new framework by the ECJ, as there are still doubts about the equivalence of the review and redress mechanisms and the general extent of protection proposed by the Executive Order. As the procedure is still in progress, current mechanism like the introduction and usage of SCCs and Binding Corporate Rules are imperative.