Worldwide: The New US–EU Data Transfer Regime - Overview Note

Introduction

On 7 October 2022, President Biden announced the signing of a new Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ("Executive Order"). The Executive Order, in conjunction with other steps outlined in this note, constitutes the United States' commitments made under the European Union–US Data Privacy Framework (the "Framework") announced by President Biden and European Commission President von der Leyen in March 2022.

The Framework specifically concerns the international transfer of data from the EU to the US and seeks to address the legal lacuna left by the European Court of Justice's ("CJEU") ruling in Schrems II. It does not, however, alter businesses' general privacy and data governance compliance obligations, which are becoming increasingly burdensome as leading economies seek to introduce ever more stringent safeguards on the use and processing of data.

In addition, mention of the UK was notably absent from the announcement, and while the Executive Order may ultimately benefit UK data subjects, it remains to be seen whether transatlantic data transfers will remain harmonised.

We outline below the background to the Framework, the changes introduce by the Executive Order, its implications for US data transfers and provide some insights and key takeaways for businesses moving forward.

How did we get here?

Chapter V of the EU General Data Protection Regulation ("EU GDPR") restricts transfers of personal data outside the EU/UK unless: i) that transfer is to a territory deemed to provide an adequate level of protection for personal data; ii) a derogation applies; or iii) an appropriate transfer mechanism is used.

The most common transfer mechanism has historically been the EU's standard contractual clauses ("SCCs"). The SCCs constitute a framework of non-variable contractual safeguards which, when executed by contracting parties, seek to elevate the standard of data protection provided for in the country to which the data is being transferred to the standard required under EU GDPR. The SCCs were mostly recently updated by the European Commission in June 2021 and many businesses are currently undergoing the extensive exercise of repapering their data processing arrangements in line with the EU's 27 December 2022 deadline.

Transfers to the US have historically benefited from adequacy-like treatment under an EU–US privacy framework known as Privacy Shield.¹ Under the Privacy Shield, businesses could voluntarily commit to comply with the Privacy Shield's principles which set out requirements governing participating organisations' use and treatment of personal data received from the EU, as well as the access and recourse mechanisms that participants must provide to individuals in the EU. The Privacy Shield included a redress mechanism through the establishment of an Ombudsperson to whom complaints about mistreatment of personal data could be directed.

In the Schrems II decision, however, the CJEU ruled in 2020 that the Privacy Shield was incompatible with the GDPR, throwing EU–US data transfers into significant legal uncertainty. The Schrems II decision introduced a new dynamic to how organisations must assess the impact of their overseas transfers on the rights and freedoms of data subjects. In particular, it placed a heightened emphasis on the applicability of local laws and practices in the destination country that might undermine the contractual safeguards of the SCCs. This assessment, which must be documented in the form of a Transfer Risk Assessment or "TRA", requires data exporters to consider the necessity of supplementary measures (including technical measures) to mitigate against any identified risks resulting from the overseas transfer.

The European Commission sought to address a number of the concerns identified in Schrems II in its revised SCCs. Despite this, however, data transfers to the US have nonetheless been placed under significant scrutiny, with big-tech in particular being the subject of a number of adverse rulings.²

Lastly, it is important to note that, by virtue of retained EU law, the CJEU's Schrems II judgment also applies to UK–US transfers of personal data.

The Data Privacy Framework – what's new?

The Framework aims to restore the legal basis for the free flow of data to the US by addressing the concerns raised by the CJEU in Schrems II and, more broadly, European concerns around unfettered US surveillance activities. The Executive Order seeks specifically to address the two main failings the CJEU cited in Schrems II, namely:

• the lack of necessity and proportionality limitations on US surveillance programs; and
• insufficient redress rights to challenge unlawful government surveillance.

The Executive Order comprises one of three components which collectively make up the Framework which also includes:

• new Department of Justice regulations issued by the Attorney General which establish a Data Protection Review Court ("DPRC"); and,
• enhancements to the commercial data protection principles to which US organizations self-certify under the Privacy Shield.

It is important to stress that no aspect of the Executive Order or Framework replaces or limits the scope of existing US surveillance laws. Instead, the Executive Order seeks to address concerns about surveillance by adding a layer of protection for individuals via additional due process protections on the use of surveillance mechanisms by US intelligence agencies.

Importantly, unlike previous legal authorisations and restrictions of surveillance authorities, the Executive Order does not establish different protections for US persons and non-US persons. Instead, it imposes due process protections on the data collection activities of US surveillance agencies regardless of the subject of their surveillance.

Principles-Based Safeguards

The Executive Order sets out a collection of safeguards which require US intelligence authorities to limit US signals intelligence activities to what is necessary and proportionate, laying out twelve legitimate objectives for signals intelligence collection activities.³

The Executive Order also includes limitations on intelligence-gathering activities and sets out the following prohibited purposes:

• Suppressing or burdening criticism, dissent, or the free expression of ideas or political opinions by individuals or the press;
• Suppressing or restricting legitimate privacy interests;
• Suppressing or restricting a right to legal counsel; or
• Disadvantaging persons based on their ethnicity, race, gender, gender identity, sexual orientation or religion.

Notably, the Executive Order still allows bulk collection of signals intelligence but limits its scope. It provides a narrower subset of legitimate national security and/or intelligence objectives authorising bulk collection and states "targeted collection shall be prioritised."

Redress Mechanism

The second core facet of the Framework is the creation of a new two-tier redress mechanism system to address a key deficiency highlighted by CJEU in Schrems II, namely the lack of actionable rights or effective remedy for data subjects.⁴

The first tier of the new redress mechanism allows for data subjects to lodge a complaint with their data protection regulator who, in turn, can opt to complain to the newly created Civil Liberties Protection Officer ("CLPO"), a directorate of the Office of the Director of National Intelligence. The CLPO will be mandated to independently investigate the complaint and determine if the Executive Order's enhanced safeguards or other applicable US law were violated and, if so, to determine the appropriate remediation. The Executive Order obligates the US intelligence community to cooperate with the CLPO and agencies will be legally bound by the CLPO's decision (subject to the second layer of review).

The second tier of the new redress mechanism takes the form of the newly created Data Protection Review Court ("DPRC"). The DPRC will consist of three judges per case who are appointed from outside the US government and have relevant experience in data privacy and national security. Due to the classified nature of the discussions and US intelligence gathering activities, complainants will not be aware if their case is before the DPRC and, consequently, cannot represent their own interests, but rather will be represented by special advocates.

While on paper the two-tier redress mechanism would appear to be an enhancement to the legacy regime, a fundamental deficiency identified by the CJEU in Schrems II remains, namely that data subjects are not informed that they may be the subject of surveillance and have no way of knowing if their rights have been preserved. In fact, it remains to be seen how exactly a data subject will be able to effectively initiate the redress process, given that at all times US intelligence activities will remain classified. Furthermore, the Executive Order makes it clear that once a review under the redress mechanism is completed the data subject will only be notified of the outcome, but not whether they were ever the subject of US intelligence activities.

Eligible Countries

Under the Framework, only individuals in "qualifying states" benefit from the enhanced protections and redress mechanism, and the US Attorney General must designate countries or regional economic groups as "qualifying states". A jurisdiction will meet the qualifying state threshold if:

• its laws require appropriate safeguards for signals intelligence activities for US persons' personal information transferred from the US to the qualifying state's territories;
• it permits, or is expected to permit, the transfer of personal information for commercial purposes between the qualifying state's territory and the US; and
• the designation would advance US national interests.

On that basis, businesses should note that this redress mechanism is not immediately applicable. First, the independent administrative court must be established, independent judges found, and the EU designated by the Attorney General as a "qualifying state". It is also worth noting that the Attorney General's office has the power, in consultation with other federal agencies, to revoke or amend a "qualifying state" designation if the criteria above are no longer met. Although many assume the EU will be deemed a "qualifying state" this is not guaranteed, and the reciprocal nature of safeguards and potential requirement of redress for US citizens in EU member states may prove a stumbling block in the upcoming months.

Other implications of the Executive Order

Other key changes implemented by the Executive Order include:

• Imposes data processing requirements. The Order mandates that personal data collected via signals intelligence activities be properly processed, and enhances the legal, oversight and compliance functions to remediate non-compliance.
• Directs US intelligence agencies to update their policies and procedures. This must be done to comply with the Order's safeguards.
• Requires review of US intelligence agency policies and procedures. This will be done by the Privacy and Civil Liberties Oversight Board to verify compliance with the Order, as well as annual reviews of the redress process.
• Imposes limitations on the retention of personal data. This applies to data collected via signals intelligence activities.

Change in Privacy Shield principles

Lastly, the Framework will also update the privacy principles that companies self-certify to under the Privacy Shield, repackaging them as the "EU–US Data Privacy Framework Principles". Since the Privacy Shield Principles were negotiated while the GDPR was being finalised, they reflected its substantive provisions, but still referenced the 1995 EU Data Protection Directive. US authorities have indicated that the new DPF will update all references in the commercial principles to refer to the GDPR directly. Further updates and guidance will no doubt be issued by the US Department of Commerce on how to reflect these changes in privacy policies and their self-certification.

A path to adequacy, or stormy seas ahead?

On the back of President Biden's announcement, the European Commission indicated its intention to proceed with the adequacy process for the Framework and revised Privacy Shield. An adequacy decision for the Privacy Shield would be considered a significant improvement in the current EU–US data transfer status quo and be understandably welcomed by businesses on both sides of the Atlantic. However, any businesses working on the assumption that a US adequacy decision is a fait accompli may not fully understand the challenges still ahead.

How the adequacy process works

The adequacy process is started by the European Commission's drafting an adequacy determination. This draft decision is then sent to the European Data Protection Board ("EDPB") who will issue an opinion on the draft adequacy determination, as required under Article 70(1)(s) of EU GDPR. Recent EDPB opinions on adequacy determinations for the UK and South Korea have provided neither outright endorsement nor outright censure, instead calling for clarification and ongoing monitoring. Importantly, the EDPB's opinion does not bind the Commission. However, it will at the very least offer some insight into the potential scope for later judicial challenges to the adequacy decision.

The decision then typically falls within the scrutiny of the European Parliament who may also make a resolution adopting a position on the adequacy decision at any point, though this too is non-binding. The Commission may adjust its draft decision in response to input from the EDPB, the European Parliament, the European Council and any other stakeholders. However, due to the intense political and technical negotiations which often precede an adequacy determination, any significant departure from the original draft has historically been rare.

Once the adequacy determination is finalised, the Commission must obtain Member States' approval via the European Council. On approval, the decision is formally adopted, and takes immediate effect once published in the Official Journal of the European Union.

Timing for the Commission to complete the above process varies across adequacy decision and can take a matter of months. The process for the US Privacy Shield adequacy decision in 2016 took five months; four months were required for 2021's UK adequacy decision; it was six months before the South Korea adequacy decision was formally adopted.

Likely challenges to US adequacy

As mentioned above, the Framework is not a silver bullet to the concerns raised under Schrems II and all of the issues identified above have been well publicised by European politicians, NGOs and key stakeholders alike. On the Commission's part there is clear impetus and willing to get an adequacy decision finalised as soon as possible, with the Framework receiving a high-level endorsement from the President of the Commission Ursula von der Leyen.

However, it would be inaccurate to say that the enthusiasm of President von der Leyen is shared across the European institutions, in particular by the EDPB and European Parliament which have, thus far, evidenced scepticism for US surveillance activities.

Finally, even if the European Commission approves an adequacy decision, it is almost certain that a challenge will be brought by NGOs such as Max Schrems' NOYB – European Centre for Digital Rights.

Finally, while it may seem that the US has now done its part, the form by which the majority of the Framework came to fruition, namely an Executive Order, has not been lost on stakeholders. Executive orders are entirely the domain of the President of the day and although some executive orders are long lasting, they can be revoked at any time by the President.⁵ In addition, another presidential power, that of Presidential Policy Directives or "PPDs", should also be considered in the context of the Framework. PPDs can either be used to limit or enhance US intelligence gathering activities. Crucially PPDs are classified unless the President decides to make them public, and it was thought that President Trump issued a wide range of PPDs directing intelligence gathering activities during his tenure. Moreover, with the next US presidential election just over two years away there is a real possibility that the whole Framework could be revoked and dismantled, causing businesses to return to the current legal uncertainty of transatlantic data transfers.

Taken together, it is for these reasons that we anticipate that the pathway to a US adequacy decision is unlikely to be plain sailing and certainly not under the typical timeframes previous adequacy decisions have taken. It is likely that that the Framework has a long path ahead before any real changes are brought in which have a practical, beneficial impact on businesses. Beyond this we are almost certain that any finalised adequacy decision will be the subject of challenge, meaning that in the next 3–4 years we could well be discussing the implications of Schrems III.

What about the UK?

While the UK is not specifically included in the Framework, developments on UK–US data transfers have also been made, and on 7 October 2022 the UK and US governments issued a joint statement announcing "significant progress" on UK–US data adequacy. In that regard, it is important to stress that the Executive Order is not EU-specific and it is expected that the UK will be designated as a "qualifying state". In that regard, the UK announced that it would "work expediently" to assess the adequacy of the Executive Order, though this will involve a formal consultation process with the Information Commissioner's Office ("ICO"), and the government does not expect to lay adequacy regulations in Parliament before early 2023.

Against that backdrop, the US–UK Data Access Agreement ("DAA") entered into force on 3 October 2022. The DAA allows UK and US law enforcement to directly request data held by telecommunications providers in the other party's jurisdiction for the exclusive purpose of preventing, detecting, investigating, and prosecuting serious crimes such as terrorism and child sexual abuse and exploitation, while remaining consistent with privacy and civil liberty standards. The DAA, though not specifically tied to the protections afforded to UK data subjects, provides for a mechanism by which US intelligence agencies can go through the UK's official and, crucially, GDPR-compliant channels to obtain information. Lastly, the UK is in the process of reforming its data protection and privacy framework through proposed new legislation including the Data Protection and Digital Information Bill ("Data Reform Bill") and the Online Safety Bill. The Data Reform Bill can be characterised as an evolution rather than a revolution of the UK's current legislation. However, the Government has recently announced it will 'replace' GDPR and pause the Data Reform Bill, which most certainly would constitute a revolution in data protection laws. If this announcement leads to the UK data protection laws deviating significantly from the GDPR, it could lead to the UK losing its EU–UK adequacy. However, no legislation has been presented on this new "light touch" approach to data protection regulation.

In effect, in respect of the 7 October announcement, the UK is using the same mechanism for US adequacy as the EU and this is of little surprise, given the similarities in the underlying legislation. The fact that the starter's gun has been fired at practically the same time by both the EU and the UK raises the prospect that the UK will attempt to "overtake" the EU and pass its adequacy decision into law first. However, any putative competitive advantage the UK might gain by doing so is tempered both by the UK's seemingly counterproductive activities to abolish the UK GDPR and markedly diverge from the EU GDPR, and by the risks such an approach would pose to the UK's own adequacy status with the EU, which is dependent on the UK's arrangements with third countries remaining acceptable to the EU. The conclusion being that, one the one hand, the likelihood is that the UK's adequacy decision will closely mirror the EU's, but on the other hand, data transfers from, and between, the EU, UK and US could require assessment of three separate and distinct frameworks.

What does this mean for businesses?

In short, the announcement is to be welcomed and will, hopefully, in due course ease the paper burden of US data transfers. However, we are somewhat surprised by some of the commentary we have seen which suggests that on the back of this announcement the need for enhanced scrutiny and the conduction of Transfer Risk Assessments is over. Such comments are, in our view, somewhat short sighted.

Firstly, for the reasons set out above, it will take time for the US adequacy decision to be concluded, and if the Commission intends to implement US adequacy in a manner that reduces the likelihood of a successful challenge to adequacy, we expect it may take at least a year, meaning at least for now SCCs and TRAs will form the basis of the majority of EU to US transfers. As the Executive Order will immediately impact the risk of access to personal data from the EU by US intelligence agencies, TRAs reflecting these impacts will make existing mechanisms which organisations have in place, such as SCCs or Binding Corporate Rules, more effective.

Secondly, on the specific matter of transfer mechanisms and Schrems II, it is important to understand that all the recent announcements are confined to the US and, therefore, there has been no change in respect of transfers to all other third countries.

Thirdly, in terms of how businesses should be embedding expectations regarding international data transfers into their data governance frameworks, the trajectory points towards ever-increasing restrictions and scrutiny over overseas data transfers, not less. In fact, over the past two years, the EU alone has published numerous new data regulatory frameworks which introduce data localisation requirements and/or enhanced restrictions on overseas transfers, notable ones being the Data Governance Act, the Digital Operational Resilience Act (or "DORA") and the Proposed European Health Data Space Act.

It is for these reasons that we are of the view that assessments such as TRAs, enhanced contractual safeguards and supplementary measures are here to stay, and that businesses should continue to take steps to embed such data governance into their internal processes.

Lastly, a note on Binding Corporate Rules ("BCRs") which, for the most part, have emerged relatively unscathed from the chaos of the last two years. For large multinational organisations who have had to significantly enhance their data governance practices as part of adapting to Schrems II, Brexit and the ever-increasing data protection rigour introduced throughout the world, BCRs represent an attractive opportunity to generate a degree of harmonisation and operational efficiency in data governance and oversight.

Key takeaways for businesses

While we await the adequacy decision from the European Commission and any possible legal challenges that may follow, our top practical takeaways from the recent developments on data transfers are as follows.

• Although this announcement is a welcome development, nothing has changed for businesses seeking to transfer data from the EU (and the UK) to the US. Businesses need to continue to remain compliant with the EU GDPR, and the SCCs, in conjunction with transfer risk assessments, will continue to be the norm.
• Businesses conducting TRAs in respect of transfers to the US can update their TRAs to reflect the immediate impact of the Executive Order but conducting a TRA is still required.
• For businesses that that have kept their Privacy Shield Certification, keep in touch regarding further updates and guidance on how existing certifications can be adapted to the new Framework; for those yet to certify to Privacy Shield, we would suggest holding off until the detail is published.
• For data transfers subject to the UK GDPR, the announcements should also be welcomed but a watching brief should be maintained over the UK's data reform initiatives which could result in data transfers to/from the UK transfers become more (not less) complex.
• It is important to bear in mind that these recent developments only concern EU/UK-to-US transfers and have no relevance to international transfers to other third-countries, and for businesses with large processing operations in countries such as China, India, the Philippines, Australia, and beyond, our advice is to carry on as normal.
• The trajectory points to ever-increasing scrutiny and oversight in respect of international data transfers, and businesses should continue to embrace and embed concepts such as TRAs and supplementary measures into their overarching data governance strategy.
• The benefits of BCRs (both EU and UK) continue to increase and they remain the gold standard for organisations with a global footprint.

For more than two years, the legal basis for data flows from the EU to the US has been uncertain, and although the new DPF hopes to resolve this uncertainty, it is not a golden ticket for transatlantic data transfers yet.

Footnotes

1. Prior to Privacy Shield, transfers of to the US could be made under the legacy Safe Harbor scheme, a self-certification program which was abolished in 2015 as a consequence of the CJEU ruling Safe Harbor to be incompatible with the EU Data Protection Directive in the Schrems I case.

2. These include enforcement actions by European Data Protection Authorities regarding the use of Google Analytics.

3. These include assessing the capabilities of a foreign government, military, political organisation, protecting the national security of the US or its allies, assessing transnational threats to global security, combatting terrorism and hostage crises, and protecting against espionage and cybersecurity threats.

4. In particular, the CJEU were of the view that neither the Presidential Policy Directive 28 nor the mechanism established under Executive Order 12.333 "grants data subject rights actionable in the courts against the US authorities, from which it follows that data subjects have no right to an effective remedy."

5. Coincidentally the Executive Order actually repealed parts of Executive Order 12.333.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.