After a two-year absence of a legal framework for the transfer of personal data from the EU to the United States, President Biden signed an executive order on October 7, 2022 on strengthening safeguards for intelligence activities on Transmissions to the United States (the “Executive Order”), which will usher in a new EU-U.S. Data Privacy Framework (the “Framework”). The framework will regulate how US intelligence agencies can collect data from EU citizens and create new mechanisms to deal with any allegations that personal information has been collected or processed in violation of US law or the framework. .
The framework, which was first announced as an agreement in principle by Biden and European Commission President Ursula von der Leyen in March 2022, aims to restore the legal regime governing data transfers from the EU to United States, after the previous regime, the Privacy Shield, was struck down by the Court of Justice of the European Union (“CJEU”) in 2020.
Although the order authorizes measures to implement this new framework under US law, ultimately the European Commission will now have to issue an adequacy notice to approve the framework.
Main provisions of the executive decree
- Mandates that U.S. intelligence agencies may collect signals intelligence only for a defined national security objective, only when necessary to advance a validated intelligence priority, and only in a manner commensurate with that priority; U.S. signals intelligence activities must further consider the privacy and civil liberties of all individuals, regardless of nationality or country of residence;
- Creates requirements for the processing of personal data collected in signals intelligence and extends monitoring to verify compliance and remedy instances of non-compliance;
- Creates a multi-step redress mechanism for citizens of “eligible states” (apparently including the EU) and certain regional economic organizations to obtain a binding review of allegations that their personal information has been obtained or processed in violation of U.S. law or the Order, including:
- A Civil Liberties Protection Officer (“CPLO”) in the Office of the Director of National Intelligence to investigate complaints and determine corrective action binding on the Intelligence Community, subject to a second level of review, below ;
- The creation of a Data Protection Review Tribunal (“DPRC”) to issue independent and binding review of CPLO decisions. DPRC judges will be appointed from outside the U.S. government, must have a background in data privacy and national security, and will be protected from removal;
- Directs the U.S. intelligence community to update policies and procedures to reflect the safeguards provided in the order, and directs the Privacy and Civil Liberties Oversight Board to review these policies and procedures annually.
US – EU Data Transfers – A Changing Landscape
In announcing the order, President Biden emphasized that a key objective of the framework is to provide legal certainty around transatlantic data transfers, in the context of the $72 trillion economic relationship between the United States and the EU.
US and EU officials have been negotiating the terms of the framework since the previous US-EU data privacy regime, governed by the Privacy Shield agreement, was struck down in July 2020 by the CJEU. In this decision, known as Schrems II, the CJEU overturned the European Commission’s 2016 adequacy decision approving the Privacy Shield for two main reasons: first, because it determined that the Privacy Shield data protection did not adequately protect EU citizens against US methods of collecting national security data, and secondly, because there were no adequate redress mechanisms for EU citizens. EU in the event of an alleged breach of privacy.
The new framework appears to directly address these issues through new restrictions on the collection of signals intelligence and the establishment of the tiered redress mechanism. Notably, the restrictions incorporate “necessary” and “proportionate” language often used in EU case law, define permitted and prohibited legitimate purposes for the collection of signals intelligence, and identify specific privacy and civil liberties safeguards. . In addition, the redress mechanism is a marked improvement over the mechanism in the old Privacy Shield Framework, which allowed individuals to go to a US State Department ombudsman. These mechanisms, among others incorporated into the Executive Order, reflect efforts by the United States to improve its approach to protecting the privacy of data subjects in the EU since Schrems II.
As the proposed new framework goes through the approval process, companies should plan to continue using these SCCs and BCRs until the new framework is actually implemented in such a way. that these are no longer necessary.
With the US order now signed, the European Commission is expected to prepare a draft adequacy decision for consideration by member governments and the European Data Protection Board. As a result of these reviews, the European Commission is to issue an adequacy notice affirming that the new framework provides European citizens with data privacy safeguards, in relation to transfers to the United States, that meet the requirements of the GDPR. While it remains unclear whether EU authorities will view the new framework as sufficiently protective, following the announcement of the executive order by the White House, the European Commission (“EC”) issued a statement stating that she did not believe that the European Court of Justice would invalidate this agreement. The EC noted, “[t]The Commission’s objective in these negotiations has been to respond to the concerns raised by the Court of Justice of the EU in the Schrems II judgment and to provide a durable and reliable legal basis for transatlantic data flows. This is reflected in the safeguards included in the Executive Order. . . .”
On the US side, the Attorney General issued implementing regulations to create the DPRC. Additionally, Commerce Secretary Gina Raimondo said she would send various implementation documents from US government agencies to her EU counterpart. Secretary Raimondo also said the new framework will update the privacy principles that companies must adhere to under the framework (formerly known as the EU-US Privacy Shield Framework Principles) and that the Department of Commerce will work with framework participants to transition to the updated principles under the framework. The framework.
Businesses, including the more than 5,300 multinationals that previously relied on the Privacy Shield framework before its invalidation, are eager to see a new framework to streamline data transfers between the EU and US states. United. Many companies that needed to transfer personal data from the EU to the US States used other approved personal data transfer mechanisms, such as standard contractual clauses and binding corporate rules, to attempt to comply with the transatlantic transfer of personal data requirements under the EU General Data Protection Regulation (“GDPR”).
Meanwhile, Max Schrems, the Austrian privacy activist who launched the first challenges that overturned previous data transfer frameworks, has already indicated that he will challenge the new framework and has expressed skepticism that to the validity of the new DPRC as a tribunal and whether the EU and the US are truly aligned on what constitutes “necessary” and “proportionate” data collection and use by intelligence authorities.
The new framework fills an important gap and promises to give businesses greater legal certainty when transferring personal data from the EU to the US. transferred to the United States, further strengthening the development of the United States data privacy framework.