In early October, the United States (“U.S.”) and European Union (“EU”) came one step closer to the much-awaited new EU-US Data Privacy Framework (the “Framework”), designed to facilitate transatlantic data flows between the US and EU following the invalidation of Privacy Shield, the previous EU-U.S. data transfer mechanism.
When the Framework was originally announced in March 2022, the White House stated that an executive order, detailing how the U.S. would effectuate the Framework, was forthcoming. On October 7, 2022, President Biden signed the U.S. executive order (“E.O.”) on Enhancing Safeguards for United States Signals Intelligence Activities, outlining the steps U.S. agencies will take to implement their commitments under the Framework and paving the way for a so-called ‘Privacy Shield 2.0’.
Here are six key things you should know about the Framework, and how it may impact cross-border data transfers going forward:
Is it Privacy Shield 2.0? The Framework was originally announced with the aim of re-establishing the EU-U.S. Privacy Shield. This previous data transfer mechanism was invalidated by the Court of Justice of the EU (CJEU), in its judgement Data Protection Commission v. Facebook Ireland and Maxmillian Schrems (Schrems II), handed down on July 16, 2020. In Schrems II, the CJEU raised concerns about the breadth of US surveillance laws, querying the necessity and proportionality of access to European personal data by U.S. intelligence, as well as the lack of an independent redress mechanism to investigate complaints regarding such access.
According to U.S. Secretary of Commerce Gina Raimondo, the Framework “fully” addresses the CJEU’s concerns. The Framework provides additional safeguards to limit access by U.S. intelligence, increases the focus on compliance within the U.S. intelligence community and provides a new mechanism for redress and review. However, Max Schrems, an EU privacy advocate, has already criticized the Framework and questioned whether it addresses the core issues raised in Schrems II.
What are the additional safeguards? The E.O. makes it clear that the Framework will limit U.S. signals intelligence data collection to (1) defined national security objectives, (2) validated intelligence priorities, and (3) only to the extent and manner proportionate to those priorities. With an express focus on data minimization, purpose limitation and necessity, any data collection activities must consider the privacy and civil liberties of all persons, regardless of nationality or country of residence. The Privacy and Civil Liberties Oversight Board has been tasked with reviewing and updating the policies and procedures of agencies across the U.S. intelligence community to align with the new safeguards.
What will the increased focus on compliance look like? The E.O. states that the Framework will require each element of the U.S. intelligence community collecting signals intelligence to have senior-level legal oversight and compliance officials to oversee all signals activities. These officials are tasked with ensuring appropriate remediation actions are taken.
What does the redress and review mechanism look like? The E.O. has put in place a two-step mechanism for individuals to obtain independent and binding review and redress under the Framework.
First, individuals can submit complaints to the U.S. Civil Liberties Protection Officer (“CLPO”) within the Office of the Director of National Intelligence. An investigation may determine that the E.O.’s enhanced safeguards or other applicable U.S. law were violated and the CLPO may determine an appropriate remediation.
Second, based on applications submitted by individuals or U.S. intelligence community entities, the newly established Data Protection Review Court (“DPRC”) will provide independent and binding review of the CLPO’s decisions. The Attorney General issued accompanying regulations on the establishment of the DPRC.
What are the next steps? The U.S. and EU will work in parallel to establish the foundations for the Framework in each region. On the U.S. side, now that the E.O. has been issued, the U.S. Secretary of Commerce will send a series of letters from relevant U.S. government agencies and supplemental documents that outline the execution and enforcement of the Framework.
In Europe, the EU Commission will now begin the multi-step process of drafting an adequacy decision and launching its adoption procedure. An adequacy decision would determine that, on the basis of the Framework, the U.S. offers an adequate level of data protection to EU data subjects, allowing personal data to flow from the EU to the U.S. without any additional safeguards in place.
However, while the Framework may ultimately provide a new mechanism for transfer of data to the U.S., until the EU adopts an adequacy decision, companies must continue to rely on other legal mechanisms for cross border data transfer including the Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules.
Do companies have to wait? As outlined under Number 5 above, companies still need to wait for the EU Commission to draft and approve the adequacy decision before they can skip using other means such as the SCCs. However, companies will benefit right now—as the E.O. has already taken effect, personal data transferred from the EU to the U.S. will already have some enhanced safeguards. Companies will therefore be able to update their transfer impact assessments and be better able to justify their current data transfers.
The Framework builds on the “unprecedented” commitments by the U.S. to privacy, data protection, and security with the goal of encouraging cross-border data flows. Despite the Framework’s cautious reception by those in the data protection and privacy sphere, this latest step towards the restoration of an “important, accessible and affordable data transfer mechanism under EU law” should be welcomed.
If you have any questions about how the Framework may impact your business operations, please contact a member of Orrick’s Cyber, Privacy & Data Innovation Group.