On October 7, 2022, President Biden signed an Executive Order (Order) on Enhancing Safeguards for United States Signals Intelligence Activities. This marks the latest step towards the new EU-US Data Privacy Framework (Framework), a replacement for the defunct EU-US Privacy Shield (Privacy Shield).
The next stage in the process is for the European Commission (EC), with input from the European Data Protection Board (EDPB), to assess the Order and Regulations issued by the Attorney General (Regulations) and determine whether they form a sufficient basis for issuing an adequate decision. This process is likely to take several months, during which time businesses must continue to rely on alternative data transfer mechanisms.
Background
The General Data Protection Regulation (GDPR) restricts how companies may transfer personal data outside the European Union (EU). The EC can adopt adequacy decisions in relation to particular countries, international organizations, or sectors if it considers that they provide an “adequate level of protection” for personal data. When an adequacy decision is in place, it allows personal data to flow freely between exporters and importers without the need to rely on additional transfer mechanisms (such as standard contractual clauses) or one of the derogations set out in the GDPR.
The forthcoming EC adequacy decision will provide a replacement for the former Privacy Shield that went into effect in 2016 but was invalidated by the Court of Justice of the EU (CJEU) in 2020 in the case known as “Schrems II“. The two main grounds the court relied on in reaching its judgment were that i) the Privacy Shield did not offer adequate protection to individuals’ data protection rights in light of the potential broad disclosure of personal data to the US intelligence services/public authorities ; and ii) the ombudsperson created by the Privacy Shield framework to address complaints by EU citizens lacked the independence and authority to adopt decisions binding US intelligence services.
At the time of its invalidation, more than 5,000 companies participated in the original Privacy Shield to transfer personal data legally under the GDPR. During the past two years, the EU and US have worked intensively to create a new data transfer framework. On March 25, 2022, they announced that they had finally reached a political agreement on a replacement for the Privacy Shield, at which time the White House noted in a fact sheet that the replacement would bring “vital benefits to citizens on both sides of the [A]tlantic,” with the continued flow of data underpinning “more than $1 trillion in cross-border commerce every year.”
However, the announcement that political agreement on a replacement had been reached was met with a mixed reception. In particular, the advocacy group NOYBAwhose Honorary Chairman Max Schrems was the lead plaintiff in the Schrems II case, described the development as “deeply concerning,” noting in an open letter that the new transfer mechanism was not based on statutory amendments to US surveillance laws, and does not provide EU data subjects with meaningful avenues for judicial redress. The group therefore promised to “challenge any final adequacy decision that would fail to provide the needed legal certainty.”
Details of the Order
The Order, together with the Regulations issued by the Attorney General, implements measures intended to address the CJEU’s concerns in the Schrems II case. In particular:
Additional safeguards when collecting and handling data. The Order and Regulations modify the protections afforded to Europeans under US law so that surveillance only occurs in pursuit of defined national security objectives, taking into account the individuals’ privacy and civil liberties, and only to the extent the surveillance is necessary and proportionate. The Order also establishes handling requirements for data collected for surveillance purposes and specifies a number of prohibited objectives for which intelligence activities may not be pursued.
Dual-layer redress mechanism. Where an eligible individual wants to bring a claim and challenge the collection or use of their personal data, the Order establishes the following dual-layer redress mechanism:
- At a first level of review, the Civil Liberties Protection Officer (CLPO) will review claims and determine whether US law was violated, and any appropriate remediation. The CLPO will be empowered to make binding decisions on the intelligence community and will benefit from protections to ensure his or her independence.
- A Data Protection Review Court (DPRC) comprised of judges from outside the US government will provide a second binding layer of review. The DPRC’s role will be to review the CLPO’s decisions, adjudicate on whether a violation of the law has occurred, and rule on what remediation may be necessary. Cases will be presented before the DPRC by a “special advocate,” who will advance the complainant’s interests.
Updates and continuous reviews. The Order requires the US intelligence services to update their policies and procedures as needed. It also requires the Privacy and Civil Liberties Oversight Board (PCLOB) to review said policies and procedures to ensure consistency with the Order, and to conduct an annual review of the dual-layer redress mechanism.
Reactions to the Framework
The EDPB, which brings together the data protection authorities of all EU countries, is expected to issue a statement on the Framework in the coming days. When the EU and US had announced their political agreement on the Framework, the EDPB issued a Statement in which it welcomed the development, noting that transfers from the European Economic Area to the US face “significant challenges” after the Privacy Shield’s invalidation.
An immediate reaction to the Order’s publication on October 7, 2022 from NOYB questioned the decision to implement reforms via an executive order, stating that the two-tier redress mechanism would not provide proper judicial redress for the purposes of the EU Charter of Fundamental Rights. NOYB promised to issue a detailed legal analysis of the Order in the coming days and weeks.
For potential foreign investors or acquirers, certain transactions that don’t immediately appear to be China or Russia-linked may be viewed as such by the Committee. For example, a UK fund whose general partner includes a Chinese or Russian citizen could be assessed as having a greater national security risk profile by the Committee. Similarly, a Singaporean fund that has a number of smaller unaffiliated Chinese limited partners collectively comprises a significant share of the fund could potentially be viewed by the Committee as a Chinese-controlled fund. And, in addition to the potential influence exercised by investors into otherwise innocent foreign parties, the Committee appears poised to expand its efforts to review the commercial ties foreign parties may have in nations of concern, even if those commercial ties are unrelated to investment. For example, a German semiconductor manufacturer that uses a Chinese contract fab as a key supply partner may receive enhanced scrutiny from CFIUS going forward.
Implications for US Citizens
While the focus of the executive order is to ensure that companies can continue sending data between the EU and the US while meeting the standards set by the Court of Justice of the European Union in 2020, Peter Harrell, a senior official at the White House National Security Council has been quoted in the press saying that the framework will also extend these privacy rights for American citizens.
In order for EU citizens to access the dual layer redress mechanism described above, the US Attorney General will first need to designate the EU as a qualifying regional economic integration organization. As part of that process, the Attorney General will conduct an assessment in the coming months to determine if EU member states have appropriate reciprocal safeguards in place regarding their own signals intelligence on the personal information of US persons.
Implications for Businesses
The new Framework brings relief to businesses who have fought with an increasing strict application of the GDPR’s data transfer rules by courts and data protection authorities in the EU. Once the EC has adopted its adequacy decision (which may take several months), the Framework will be available for businesses in the US who receive personal data from the European Economic Area (EEA). It is expected that the Framework will operate via self-certification, in a similar fashion to the Privacy Shield and Safe Harbor before it.
Businesses considering their data storage and transfer strategies will need to carefully consider the benefits of participating in the Framework in view of developments in recent years. Many will have expended substantial efforts to implement standard contractual clauses after the Privacy Shield was invalidated, in which case relying on the new Framework would require a further round of contractual amendments. Once in place, the Framework will inevitably be challenged before EU data protection authorities and courts, which may make some EU businesses reluctant to rely on it as a legal basis for data transfers to the US
While businesses wishing to rely on the Framework have some months to wait, the Order may have more immediate benefits for transatlantic data flows. In particular, businesses required to carry out transfer risk assessments in connection with data flows to the US may benefit immediately from the restrictions on surveillance, and redress mechanisms that the Order introduces. The EDPB is expected to provide guidance on this point.
Next Steps
Now that the Order has been published, the EC will prepare a draft adequacy decision. This draft, together with the Order and Attorney General’s Regulations, will then be subject to review by the EDPB. The EDPB’s task will be to prepare an opinion on whether the Framework would provide a satisfactory level of data protection for EEA data subjects. While the EDPB’s decision is not legally binding on the EC, it will carry considerable weight in a political and legal sense.
Potential UK Framework
Also on October 7, 2022, a UK-US Joint Statement (Statement) announced the launch of a “senior-level Comprehensive Dialogue on Technology and Data.” The Statement welcomes the Order and notes that “significant progress” has been made on UK-US data adequacy discussions, with the UK aiming to conclude its assessment expediently.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cedric Burton, Laura De Boel, Maneesha Mithal, Christopher Kuner, Nikolaos Theodorakis, Lydia Parnes, Chris Olsen, Tracy Shapiro, or another member of the firm’s privacy and cybersecurity practice.
Tom Evans contributed to the preparation of this alert.