Third Time’s a Charm? The New EU-US Data Privacy Framework and the US’s Pursuit of an EU Adequacy Decision under GDPR
by Max Landaw
On October 7, President Joe Biden issued an executive order (EO), “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities,” EO 14086, which lays the foundation for a new EU/US data privacy framework (called the “EU-U.S. Data Privacy Framework,” but colloquially called Privacy Shield 2.0) with an end goal of rendering an adequacy decision for the United States.
Under Article 45 of GDPR, the European Commission is tasked with monitoring which countries outside of the EU (called “third countries”) have legislation, supervisory authorities, and international commitments largely in line with GDPR principles and obligations. The European Commission may render adequacy decisions to third countries which allow international transfers of EU personal data to such third countries with no additional safeguards.
The US has had two previous adequacy decisions invalidated by the Court of Justice of the European Union (CJEU), both due to challenges from Austrian privacy advocate Max Schrems (colloquially called the Schrems I and Schrems II decisions). The most recent case, Schrems II, invalidated the previous 2016 EU-US Privacy Shield Framework as the framework did not adequately address or limit United States federal government surveillance power under laws such as the US Foreign Intelligence Surveillance Act (FISA).
U.S. Secretary of Commerce Gina Raimondo put out a statement regarding the EO: “The EU-U.S. DPF includes robust commitments strengthening the safeguards for U.S. signals intelligence activities, which will ensure the privacy of EU personal data and create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by such activities. The EU-U.S. DPF also provides a durable and reliable legal foundation for the trans-Atlantic data flows that underpin more than $1 trillion in cross-border trade and investment per year and create greater economic opportunities for companies and citizens on both sides of the Atlantic.”
This latest EO addresses the Schrems II decision directly by a) limiting the collection and use of signals intelligence and b) creating a redress mechanism that is not limited to US nationals.
Signals Intelligence
Signals intelligence refers specifically to intelligence gathering by interception of signals, either in the form of communications between persons or electronic signals. Such intelligence is used by the US federal government for purposes such as counter-terrorism measures. FISA and other federal legislation, such as the Cloud Act, broadly allow collection of batch surveillance data. The EO is the first implementation of the Trans-Atlantic Data Privacy Framework announced in March 2022, which will restrict the executive in its ability to collect and use such signals intelligence. Specifically, collection of such signals intelligence must be necessary and proportionate for advancing national security objectives.
Section 2(b) of the EO lists 12 legitimate objectives for the collection of signals intelligence, including:
“understanding or assessing the capabilities, intentions, or activities of foreign organizations, including international terrorist organizations, that pose a current or potential threat to the national security of the United States or of its allies or partners”;
“protecting against foreign military capabilities and activities”; and
“protecting the integrity of elections and political processes, government property, and United States infrastructure (both physical and electronic) from activities conducted by, on behalf of, or with the assistance of a foreign government, foreign organization, or foreign person.”
Section 2(b)(ii) of the EO additionally lists out the following prohibitions in the collection of signals intelligence:
(A) Signals intelligence collection activities shall not be conducted for the purpose of:
(1) suppressing or burdening criticism, dissent, or the free expression of ideas or political opinions by individuals or the press;
(2) suppressing or restricting legitimate privacy interests;
(3) suppressing or restricting a right to legal counsel; or
(4) disadvantaging persons based on their ethnicity, race, gender, gender identity, sexual orientation, or religion.
(B) It is not a legitimate objective to collect foreign private commercial information or trade secrets to afford a competitive advantage to United States companies and United States business sectors commercially. The collection of such information is authorized only to protect the national security of the United States or of its allies or partners.
The EO states that use of signals intelligence must advance a “validated intelligence priority” such as the restriction of bulk collection. As Section 2(c)(ii)(A) states, “Targeted collection shall be prioritized. The bulk collection of signals intelligence shall be authorized only based on a determination — by an element of the Intelligence Community or through an interagency committee consisting in whole or in part of the heads of elements of the Intelligence Community, the heads of departments containing such elements, or their designees — that the information necessary to advance a validated intelligence priority cannot reasonably be obtained by targeted collection.”
The EO also directs any agency containing an element of the intelligence community to comply with the EO and “establish and apply policies and procedures designed to minimize the dissemination and retention of personal information collected through signals intelligence.”
Redress Mechanisms
The EO creates a two-tiered system of redress: the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (CLPO) and an independent administrative court called the Data Protection and Review Court (Court).
All qualifying complaints (defined as “a complaint . . . that alleges a covered violation has occurred that pertains to personal information of or about the complainant, a natural person, reasonably believed to have been transferred to the United States from a qualifying state after the effective date of the Attorney General’s designation for such state . . . .”) are to be initially investigated by the CLPO. The complainant may have any complaint subsequently reviewed by the Court. The Court is to be made up of individuals to serve as judges for the Court. Such judges are appointed by the Attorney General in consultation with the Secretary of Commerce, the Director of National Intelligence, and the Privacy and Civil Liberties Oversight Board (PCLOB). Despite the Attorney General’s appointment power, “[t]he Attorney General shall not interfere with a review by a Data Protection Review Court panel of a determination the CLPO made regarding a qualifying complaint under subsection (c)(i) of this section; nor shall the Attorney General remove any judges appointed as provided in subsection (d)(i)(A) of this section, or remove any judge from service on a Data Protection Review Court panel, except for instances of misconduct, malfeasance, breach of security, neglect of duty, or incapacity . . . .”
This system is therefore somewhat novel, as the EO provides a redress mechanism for foreign nationals from qualified states whereas prior redress mechanisms were generally for the benefit of US nationals.
Commercial Surveillance
The EO only addresses federal/executive surveillance. U.S. Privacy Shield Director Alex Greenstein has stated that the new EU/US data privacy framework will essentially mimic the previous Privacy Shield (1.0) that the CJEU invalidated in Schrems II. The rationale was that the Schrems II court only addressed issues of federal surveillance and not commercial surveillance. This will mean that companies who had previously self-certified and maintained such certification with the Privacy Shield framework will be able to move over to the new framework somewhat seamlessly.
Next Steps for the EU
The EO represents the first legal step towards Privacy Shield 2.0. On the EU side, the European Commission is expected to complete its draft adequacy decision in the next four to six weeks. The European Data Protection Board (EDPB) will then issue a nonbinding opinion on the draft adequacy decision. The EU Member States finally must approve the draft. That final vote will likely occur in approximately six months, in the spring of 2023.
UK Response
In 2020, the United Kingdom left the EU but maintained its own mutatis mutandis version of GDPR, called “UK GDPR.” This has meant that the UK has been able to make its own independent determinations of whether third countries, such as the US, should receive adequacy decisions. With the Privacy Shield framework invalidated after the Schrems II decision, the US has also been without an adequacy determination with the UK.
While Privacy Shield 2.0 represents an agreement solely between the EU and the US, the UK has recently commented favorably on the new framework. On October 7, the UK’s Secretary of State for DCMS, The Rt Hon Michelle Donelan MP, welcomed the EO, noting the increased safeguards for UK data subjects.
This likely means that, if the EU renders an adequacy decision with the US, the UK may follow soon after, allowing Privacy Shield 2.0 to serve as a valid transfer mechanism for UK-US transfers as well.
Criticism of the New Framework
Not all commentary on the new framework has been positive. Both the ACLU and Max Schrem’s privacy watchdog nonprofit, NOYB (“None of Your Business”), have come out stating that the new framework does not provide adequate safeguards for foreign nationals.
The NOYB published its initial opinion of the EO, stating that the EO does not fully end bulk surveillance, that the Court “is not a real Court” and that the two-tiered structure does not provide an appropriate form of redress as “[t]he US government will neither confirm nor deny that the user was under surveillance and will only inform the user that there was either no violation or it was remedied . . . .”
The ACLU criticized the EO and the new framework as well. Ashley Gorski, senior staff attorney with the ACLU National Security Project stated, “President Biden’s executive order does not go far enough. It fails to adequately protect the privacy of Americans and Europeans, and it fails to ensure that people whose privacy is violated will have their claims resolved by a wholly independent decision-maker.” The ACLU put out the following bullet pointed list of necessary reforms that they are advocating for radically reforming US surveillance laws:
Ending bulk, generalized data collection conducted under Executive Order 12333;
Narrowing the categories of persons who may be targeted using surveillance under Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333; and
Ensuring that individuals impacted by U.S. surveillance are able to challenge improper surveillance in U.S. courts, including by reforming the “state secrets privilege.”
The ACLU, NOYB and other critics believe that the only method for amending what they see as virtually unfettered federal surveillance would need to come in the form of legislation as opposed to an executive order. Executive orders are on shakier ground from a constitutional perspective and can be repealed more easily by a subsequent executive order (e.g., if Biden loses the 2024 presidential election, his successor may repeal the EO).
Additionally, critics note that the administrative court does not have the same sort of power, independence, or authority as a court organized under Article III of the US Constitution.
Response to Criticism
Addressing both criticisms, Mr. Greenstein has noted that executive orders have the binding force of law and are not flimsy. Specifically, since legislation such as FISA focus solely on permitted acts of the executive, an executive order is a proper method to limit the acts of the executive branch. Greenstein also noted that many executive orders are now decades old, survive constitutional attacks, and are accepted as binding law. In terms of their relative fragility compared to Congressional legislation, one obvious point is that legislation in a liberal democracy can be repealed as well.
As to the redress mechanisms, an administrative court was noted as being a more acceptable avenue for foreign nationals from a constitutional perspective. The use of an Article III court for redress would have faced much more constitutional scrutiny as complainants subject to federal surveillance would not per se be “harmed” sufficient to have standing in such a court. The use of an administrative court ensures that all applicable foreign nationals will have access to the redress mechanism anticipated by the EO.
Nonetheless, we can expect challenges to the new framework if and when the EU issues a final adequacy determination. In other words, be on the lookout for Schrems III in the coming years.
What Can Businesses Do Now?
If and when the EU issues its adequacy decision for the US and Privacy Shield 2.0 becomes a valid transfer mechanism, businesses will be able to certify with the new framework for conducting international transfers from the EU to the US. This will mean that companies that self-certify with Privacy Shield 2.0 will likely not need to rely on additional safeguards such as the standard contractual clauses, simplifying negotiation of data protection addenda to commercial agreements like vendor contracts. Companies that continue to self-certify to the existing Privacy Shield (1.0) framework will be able to shift seamlessly to Privacy Shield 2.0, as the frameworks will likely be near identical. Aside from clarifying the previously dubious legality of all international transfers from the EU to the US, the ability to use a new transfer mechanism other than the standard contractual clauses will be a major boon for companies, who have had to include these lengthy clauses in all agreements which anticipate international data transfers.
Even for companies that choose to not self-certify with Privacy Shield 2.0 and prefer a different transfer mechanism such as binding corporate rules or the standard contractual clauses, the benefits for all companies engaged in EU-US international transfers will be apparent as businesses engaged in international transfers will not have to conduct transfer risk assessments.
For now, although businesses engaged in EU-US international transfers may not yet rely on any adequacy decision, such businesses may refer to the EO in their transfer risk assessments. The EO strengthens the case that there is oversight and redress in the United States, regardless whether transfers take place under Privacy Shield, standard contractual clauses, or binding corporate rules. Businesses should also review their data protection addenda and can consider amendments which make reference to Privacy Shield 2.0 in the event it becomes a valid transfer mechanism.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.