Companies seeking to facilitate the transfer of personal data from the EU to the US will welcome the news that President Biden has released the long-awaited Executive Order in support of transatlantic data transfers. This Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities, issued on October 7, 2022, marks the next step forward in implementing a new Trans-Atlantic Data Privacy Framework (informally known as “Privacy Shield 2.0”) for transfers of personal data from the EU to participating US companies, to replace the former Privacy Shield program.
What is the Trans-Atlantic Data Privacy Framework?
The Trans-Atlantic Data Privacy Framework (the Framework) is a new structure negotiated between the European Commission and the US to allow the transfer of personal data from the EU to eligible US companies that choose to participate in the Framework. The Framework will replace the prior Privacy Shield program, which was invalidated by the European Court of Justice in July 2020. (In turn, the Privacy Shield program replaced the earlier Safe Harbor program, which similarly had been invalidated in October 2015 by the European Court of Justice.) The invalidation of the Privacy Shield program created uncertainty about the legality of transatlantic transfers of personal data, and in principle, restricted such data transfers from the EU to the US. While other mechanisms to transfer personal data to the US are available, such as the Standard Contractual Clauses (SCCs), the Privacy Shield program was popular as a dependable and straightforward mechanism.
Following the invalidation of the Privacy Shield program by the European Court of Justice in 2020, the US and European Commission promptly began discussions to commit to a Framework to foster data flows from the EU to the US. In March 2022, the US and European Commission released a statement that committed to a new transatlantic data privacy framework and to specifically address concerns raised by the European Court of Justice when it struck down the Privacy Shield.
What New Protections Does the Executive Order Provide for Trans-Atlantic Data Flows?
In invalidating the Privacy Shield program, the European Court of Justice had expressed concerns about the scope and proportionality of US government surveillance activities, and the level of recourse available to EU individuals to object to such activities. The Executive Order seeks to address these concerns.
As previewed in the March 2022 statement, the Executive Order places new restrictions on US signals intelligence activities (i.e., collection of foreign intelligence from communications and electronic systems) and provides new redress mechanisms for EU individuals who believe their personal data has been collected through US signals intelligence activities in violation of US law. The Executive Order includes the following key components:
- Additional safeguards for US signals intelligence activities: The Executive Order adds further safeguards for US signals intelligence activities, providing that such activities shall be conducted only when “necessary to advance a validated intelligence priority” and “only to the extent and in a manner proportionate to that priority.” When determining whether collection activities are consistent with this principle, the Executive Order states that the US shall consider the availability, feasibility, and appropriateness of less intrusive sources and methods for data collection to advance the particular intelligence priority. For example, the US may consider diplomatic and public sources and other appropriate alternatives.
- Redress mechanisms: The Executive Order provides for creation of a new multi-layer redress mechanism that will be available to EU individuals and individuals of other “qualifying states” who believe that the US has unlawfully collected or handled their personal data collected through US signals intelligence activities, in violation of U.S law.
- As the first layer of review, such complaints will be reviewed by the Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence. Notably, opinions from the CLPO have a binding effect. The CLPO shall either determine that its review did not identify any covered violations, or it shall issue a determination requiring appropriate remediation. If a violation is found, applicable US intelligence community organizations must comply with the CLPO’s determination and undertake appropriate remediation for the unlawful collection or handling of personal data.
- As a second layer of review, the complainant or an element of the US intelligence community may apply for an independent and binding review of the CLPO’s decision by the new Data Protection Review Court (DPRC). The DPRC will be established by the Attorney General and its judges will be appointed from outside the US government. The DPRC will have full authority to adjudicate claims and direct remedial measures as needed. When the DPRC reviews a CLPO decision, it will select a special advocate to advocate regarding the complainant’s interest in the matter. - Policies and procedures: The Executive Order requires US intelligence community organizations to update their policies and procedures to address the new safeguards contained in the Executive Order. It also expands the responsibilities of legal, oversight, and compliance officials to comply with the new requirements and to address non-compliance.
- Oversight: The Executive Order directs the Privacy and Civil Liberties Oversight Board (PCLOB) to review intelligence community policies and procedures to ensure they are consistent with the Executive Order. Thereafter, PCLOB will conduct annual reviews of the redress process.
The Executive Order is an important component of the new Framework, and is intended to resolve the concerns that resulted in invalidation of the Privacy Shield (and Safe Harbor). Despite the efforts of the European Commission and US government to address these concerns, the Framework is expected to face similar legal challenges. Indeed, Max Schrems, the individual who filed the legal challenges that resulted in invalidation of the Safe Harbor and Privacy Shield programs, has indicated his intent to challenge the Framework as well.
Relevance of Executive Order to use of SCCs and BCRs
Although the Framework will not be finalized and available for some time, the Executive Order already may offer some assistance to companies transferring data from the EU to the US. Under EU law, a “transfer impact assessment” (TIA) must be completed before using SCCs or binding corporate rules (BCRs) to transfer personal data outside the EU. TIAs are used to check if the personal data being transferred is sufficiently protected in the specific circumstances to the standards required by EU law. As the additional safeguards principles set out in the Executive Order take immediate effect, TIAs may therefore be able to take into account the additional protections offered by the Executive Order (even before the new Framework is finalized).
What’s Next?
The Framework will need to undergo further steps before it is finalized and available for companies to use. For example, the European Commission will need to review and ratify the Framework, which will include consultation with the European Data Protection Board (EDPB). The European Parliament will also have the right to review the Framework. The EDPB’s opinion, while not binding, shall be considered before the European Commission puts the Framework before Member States for approval. The European Commission has issued a Q&A on the Executive Order and Framework, which gives further detail on next steps in the process. It is anticipated that the EU’s approval process will take around six months, which suggests a decision may be reached around March 2023.
As a reminder, the Framework will not address transfers of personal data from the UK. The Privacy Shield was also invalidated as a mechanism for transfers of personal data to the US under the UK’s post-Brexit data protection regime. Instead, the UK government is separately working with the US on potential transatlantic data agreements, including a potential adequacy agreement. In support of this, the UK has announced that the US will work to designate the UK as a qualifying state under the redress mechanisms of the Executive Order. The UK hopes to submit the resulting adequacy mechanism to the UK Parliament in early 2023. UK companies will also be able to consider the additional protections granted by the Executive Order in TIAs when utilizing the UK equivalents of SCCs and BCRs.
While at this time, the Framework is not formalized, US companies will have an opportunity to begin reviewing their transatlantic data flows well in advance of the formal new program to ensure the most advantageous data flow mechanisms are implemented for applicable data transfers.
