The US has taken a giant step forward on the path to creating a reliable, approved data flow agreement between the United States and the European Union. On October 7, 2022, President Biden issued an Executive Order implementing the EU-US Data Privacy Framework (“DPF”) that the President and EU Commission President von der Leyen agreed to in March.
In 2020, the Shrems II case, decided by the Court of Justice of the European Union (“CJEU”), invalidated the EU-US Privacy Shield, essentially forcing all data transfers from the EU to the US to begin relying on the use of the EU’s standard Contractual Clauses as the legal basis for the data transfer. However, even that process was called into question and some even argued that trans-Atlantic data flows were effectively banned.
So, what is the goal of the DPF and this new executive order? To address the two main problems with the prior framework that led the CJEU to strike it down:
- US surveillance of EU citizens has to be necessary and proportionate within the meaning of the EU’s Charter of Fundamental Rights and
- EU citizens must have access to redress if their personal data has been improperly accessed or processed (according to EU protections) by US intelligence activities.
Necessary and proportionate
Essentially, the CJEU expressed concern that, under current laws, US intelligence services had a much wider latitude in accessing EU residents’ personal data than would be allowed under EU law (specifically, the GDPR). This meant that companies exporting that data were essentially stripping EU residents of their GDPR rights when the data was exported.
Specifically, the CJEU found that “neither Section 702 of the [Foreign Intelligence Surveillance Act], nor E.O. 12333 [the primary Executive Order granting the NSA authority to collect, retain, analyze, and disseminate foreign signals intelligence information] read in conjunction with [the Presidential Policy Directive on signals intelligence activities], correlates to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary.”
The new Executive Order both imposes necessity and proportionality requirements and explains what qualifies as necessary and proportionate.
In explaining the intent of the new Executive Order, the White House stated that it, “adds further safeguards for US signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.” With these new restrictions on US intelligence services, the EU will be able to move forward in making an adequacy decision for the new DPF that will hopefully determine that the restrictions on US intelligence in the order are sufficient to meet the CJEU’s concerns.
Under EU law, EU residents have a right to judicial redress (i.e., to take it to the courts) if their data is improperly accessed or processed by the government. The CJEU analyzed US law and determined that, if an EU citizen’s data was accessed in a way that violated their rights in the EU or the US (EU citizens’ data would not receive the same protection that US citizen data woud), that EU citizen would have no recourse in a US court.
To address this particular problem, the Data Privacy Framework introduces a “multi-layer mechanism for individuals from… [the EU]… to obtain independent and binding review and redress of claims that their personal information collected through US signals intelligence was collected or handled by the United States in violation of applicable US law, including the enhanced safeguards in the [Executive Order].”
The mechanism includes the creation of a Civil Liberties Protection Officer who would be housed in the US Office of the Director of National Intelligence. That person’s role will include conducting investigations into complaints to determine whether the safeguard in the Executive Order and other applicable US laws have been violated. They would also have the authority to determine the appropriate steps for correcting the violation. This would be the first step in giving EU citizens access to redress for violations of the privacy by US government intrusion into their data that has been transferred from the EU to the US.
The mechanism would also create a new court, the Data Protection Review Court, which would independently review the decisions of the Civil Liberties Protection Officer. The Review Court’s decisions would be binding. Anyone appointed to the Review Court would need experience in both data privacy and national security and would be appointed from outside of the US government.
Now that the Executive Order on intelligence activities has been issued, the DPF can continue to move forward. The EU ratification process may take up to six months, meaning that it could occur in March of 2023 (potentially sooner, but, given the history, it is unlikely to receive approval at an earlier date). In the interim, companies that are relying on Standard Contractual Clauses for the trans-Atlantic data transfers should continue to perform transfer impact assessments and adopt supplementary measures in order to protect the data they are transferring out of the EU and into the US.
Simplify your GDPR compliance with SixFifty
SixFifty can help your business comply with the GDPR. Our privacy tools are always up to date, no matter how the laws change. Save time and money by letting us do the heavy lifting.
For more information about our GDPR privacy products, schedule a demo today.