Two years after the Court of Justice of the European Union (“CJEU”) judgment in Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (Schrems II) invalidated the EU-U.S. Privacy Shield, forcing businesses to adopt standard contractual clauses in order to pass data through the transatlantic, the United States has finally implemented its new privacy framework driving the European Union and the United States one step closer to the free transfer of data.
An executive order, signed October 7, 2022, titled “Enhancing Safeguards for United States Signals Intelligence Activities” comes seven months after President Biden met with European Commission President Ursula Von der Leyen and announced they had reached an agreement in principle to reestablish adequate safeguards to transfer data freely from the United States to the European Union.
The agreement in principle, announced on March 25, 2022, directly addresses the concerns raised in Schrems II.
Schrems II prompted the invalidation of the EU-U.S. Privacy Shield when the CJEU determined that the Privacy Shield transfer mechanism does not comply with the level of protection required under the EU General Data Protection Regulation (“GDPR”) for two reasons.
First, the CJEU was of the opinion that U.S. Law enforcement had too much access to personal data, strongly suggesting that the U.S. policies prioritize national security over EU data subject rights.
Furthermore, the CJEU took issue with the lack of redress mechanisms available for EU data subjects who have experienced privacy violations by the U.S. government.
With the invalidation of the EU-U.S. Privacy Shield, businesses subject to the GDPR have been relying on standard contractual clauses (“SCCs”) to transfer data outside of the European Union.
A NEW U.S. PRIVACY FRAMEWORK
As part of that agreement in principle, made on March 25, 2022, U.S. President Biden and European Commission President Ursula von de Leyen agreed to the creation of a legal framework under U.S. law that directly addresses the two major concerns raised by the CJEU. The United States committed to strengthening the privacy and civil protections of EU data subjects by (1) agreeing to create binding safeguards to limit access to data by U.S. Intelligence authorities to necessary and proportionate for national security, and (2) creating a new two-tier redress system to investigate and resolve complaints.
LIMITING ACCESS TO DATA BY U.S. INTELLIGENCE
The order increases safeguards for U.S. signals intelligence (“SIGINT,” intelligence derived from electronic signals and systems used by foreign targets) activities by mandating that U.S. intelligence agencies can only pursue this level of surveillance when they can justify the pursuit as being part of a defined national security objective for the purpose of advancing a validated intelligence priority. The order also sets a proportionality requirement, allowing intelligence agencies to collect SIGINT that is proportionate to an identified priority.
The order also addresses the concerns regarding the U.S. government's access to personal data by creating requirements for handling personal data while expanding oversight in an effort to ensure compliance.
Under this new standard, U.S. SIGINT will not be able to collect data on any EU citizen unless the collection is done in pursuit of at least one of 12 legitimate objectives, including, but not limited to:
- Understanding and assessing activities, intentions and capabilities of foreign organizations that pose a threat to national security of United States;
- Protecting against foreign military capabilities, terrorism, espionage or other intelligence activities conducted by or on behalf or with the assistance of a foreign government;
- Protecting against cybersecurity threats and threats from the development or proliferation of weapons of mass destruction;
- Protecting against threats to personnel of the United States and its allies and transnational criminal threats;
- Protecting the integrity of elections and the political process and infrastructure of the United States.
The executive order also requires the head of each element of the intelligence community to work in consultation with the Attorney General, Civil Liberties Protection Officer (“CLPO”) of the Office of the Director of National Intelligence, and the Privacy and Civil Liberties Oversight Board (“PCLOB”) to update policies and procedures within the next year in order to implement the safeguards outlined in President Biden's executive order.
NEW REDRESS MECHANISMS
The order also expands redress mechanisms for privacy violations by U.S. governments by creating a twolayer mechanism for qualifying individuals to obtain an independent and legally binding review and redress if they believe their personal information was mishandled by U.S. SIGINT.
The first layer of redress available to qualifying EU data subjects comes in the form of a CLPO who is intended to initiate investigations of qualifying complaints received to determine if there was in fact a violation and to order binding remedial measures. As part of this role, the CLPO will:
- Review any relevant information necessary to investigate complaints;
- Make a determination of a violation by balancing the expressed national security interest as well as applicable privacy protections;
- Apply the law impartially and determine the remediation for any covered violation; and
- Provide a classified report on information that indicates there was a violation.
Upon completion of this review, the CLPO will inform the complainant of its determination, typically through the appropriate public authority, without confirming or denying that the complainant was subject to U.S. SIGINT activities.
The second layer of redress is through the creation of the Data Protection Review Court (“DPRC”). Through the direction of the Attorney General, a DPRC will be established with the purpose of providing independent and binding review of any decision made by the CLPO. After a determination by the CLPO, either the complainant or an element of the intelligence community will be allowed to apply for review by the DPRC. The DPRC will include judges with more than two years' experience outside the U.S. government with experience in data privacy and national security. The DPRC shall provide an impartial review of the CLPO's determination on whether a covered violation occurred and if the remediation provided is appropriate. If the DPRC determination differs from that of the CLPO, the DPRC shall issue its own determination.
THE NEXT STEP TOWARD ADEQUACY
It is important to note that this new privacy framework does not automatically reinstate an adequacy decision by the European Commission. The executive order is intended to be an appropriate safeguard pursuant to Chapter V of the GDPR, making it a major step toward adequacy.
What this means is business will still need to rely on standard contractual clauses and binding corporate rules until the European Commission issues a formal adequacy decision and begins what's called the adoption process.
The European Commission will review the new U.S. Data Privacy Framework and is expected to prepare a draft adequacy decision that will commence the adoption process. The process includes:
- Acquiring an opinion from the EU European Data Protection Board and approval from a committee consisting of representatives of the EU member states; and
- Scrutiny of the privacy framework and the adequacy decision made on its behalf by the European Parliament.
Once this process is complete and the framework is approved, the European Commission can finally adopt its adequacy decision as it relates to the United States. Only then will data be able to flow freely between the United States and the European Union as it did with the Privacy Shield.
Like the Privacy Shield, the process is expected to take anywhere from four to five months. Once the adequacy decision has been made, U.S. companies can join the framework simply by committing to comply with privacy obligations outlined by the European Commission.
CONCLUSION
The new privacy framework outlined in President Biden's executive order signed October 7, 2022, has been lauded by the European Commission as a significant improvement to data protection in the United States, especially in regard to limitation of access to data and adequate redress. This strongly suggests that the new privacy framework will in fact lead to an adequacy decision.
Not all seem to be satisfied with the solutions proposed in the executive order, however. Max Schrems, whose legal challenges have invalidated two legal privacy frameworks, has already commented on the framework, indicating he will analyze the package and stating “it will be back to the CJEU sooner or later.”
For that reason, companies should continue to use standard contractual clauses and other approved alternative data transfer mechanisms for the time being.
Originally published by The Computer & Internet Lawyer
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
