There is new hope for companies that transfer data from Europe to the United States that the return of a less administratively burdensome mechanism is on the horizon.
On October 7, President Biden signed the much-anticipated Executive Order (EO) on Enhancing Safeguards for United States Signals Intelligence Activities, which details the steps the U.S. will take to restore a critical transatlantic data transfer mechanism that complies with EU law. The new measures address concerns raised by the Court of Justice of the European Union (CJEU) about the risk of U.S. government surveillance to Europeans’ privacy rights. By bolstering U.S. data privacy protections, the EO provides the European Commission (EC) a basis to adopt a new adequacy decision to reinstate the EU-U.S. Privacy Shield (the Privacy Shield) as an adequate data transfer mechanism to again streamline the flow of personal data from Europe to the U.S.
The Winding History of EU-U.S. Data Transfers
The EO marks the latest chapter in the ever-shifting story of transatlantic data transfers and EU-U.S. data agreements. In 2000, the U.S.-EU Safe Harbor Framework received the EC’s adequacy decision which was invalidated by the CJEU in 2015. In 2016, the Privacy Shield, which was intended to be a replacement for the Safe Harbor Framework that reflected the CJEU’s requirements, received an adequacy decision. Companies then obtained Privacy Shield certifications and began relying on the Privacy Shield for transatlantic personal data transfers. That all ended when the CJEU invalidated it in July 2020 in Schrems II. We previously wrote about Schrems II and its consequences here.
Post-Schrems II, data transfers from the European Economic Area (EEA) to the U.S. and other applicable countries can be significantly more complex, costly and legally uncertain. Companies now conduct data transfer impact assessments before transferring personal data to countries, like the U.S., that lack an EC adequacy determination and typically rely on an elaborate set of adequacy measures to transfer data from the EEA to such countries, including the Standard Contractual Clauses or Binding Corporate Rules. The EO, if it results in the Privacy Shield receiving a new adequacy determination, will reduce the complexity of transatlantic data transfers.
Summary of EO (or How the U.S. Seeks to Win Over the EC)
- New Safeguards for U.S. Signals Intelligence Activities. To address the CJEU’s concerns that U.S. national security and surveillance collection methods (including FISA Section 702 and EO 12333) do not adequately protect EU data subjects’ fundamental privacy rights, the EO proposes
- Adding necessity and proportionality safeguards (similar to purpose limitation principles used under EU privacy laws) to data collection practices under U.S. surveillance laws. In particular, such data collection must be conducted “only when necessary to advance a validated intelligence priority” and “only to the extent and in a manner proportionate to that priority”;
- Requiring the U.S. intelligence community to update its policies and procedures to reflect these new safeguards; and
- Having the Privacy and Civil Liberties Oversight Board review such policies and procedures to ensure consistency with the EO.
- European Data Subjects May Seek Redress in the U.S. In response to the CJEU’s finding that European data subjects lack an effective judicial redress process in the U.S., the EO orders the creation of an independent and impartial multi-layer redress mechanism for European data subjects to lodge complaints to U.S. authorities that their personal data was gathered in violation of applicable EU data protection laws. Under the new system, complaints would have redress opportunities analogous to litigants’ rights of appeal in U.S. courts.
- Layer 1: First, a Civil Liberties Protection Officer (CLPO) will adjudicate claims to assess whether the EO’s safeguards or other applicable U.S. laws were violated, and the proposed steps for remediation to be implemented by the intelligence community. Subject to review at the second level, the CLPO’s decision will be binding on the intelligence community.
- Layer 2: Second, a new Data Protection Review Court (DPRC) established by the U.S. Department of Justice will provide “independent and binding review” of the CLPO’s decisions.
- Revocation of Presidential Policy Directive 28 (PPD 28). To address the concerns raised by the CJEU and further enhance the oversight of review and maintenance of the Intelligence Community policies and procedures, the EO was accompanied by a National Security Memo that revoked most of PPD 28, a national security directive issued by President Obama in 2014 to address EU regulators’ then-growing concerns about U.S. signals intelligence activities. The Memo leaves intact two sections of PPD 28 that will continue to address “Principles Governing the Collection of Signals Intelligence” and other “General Provisions.”
Practical Takeaways
- Immediate Next Steps. The EO does not immediately trigger any action items for companies that previously self-certified as compliant with the Privacy Shield or that are considering certification. Until an adequacy decision is issued by the EC (expected no earlier than Spring 2023), companies may continue to rely on existing data transfer mechanisms, such as the EU Standard Contractual Clauses issued by the European Commission in July 2021, as a legal mechanism for such transfers.
- Transfers to the U.S. If and when the EC issues an adequacy decision with respect to the U.S., the Privacy Shield will likely be reinstated as a valid transfer mechanism for EU-U.S. data transfers. Thus, companies who have maintained their Privacy Shield certifications will likely be able to rely on the Privacy Shield for EU-U.S. data transfers again. Additionally, the Department of Commerce has continued to process Privacy Shield self-certifications, even after Schrems II. Companies that have not yet self-certified and who want to rely on the Privacy Shield for EU-U.S. data transfers should consider preparing to self-certify so that they will be ready to do so if the EC gives an adequacy decision.
- Transfers to Other Non-U.S. Countries. The EU maintains a list of countries to which it has issued adequacy determinations, including Argentina, Israel, Japan, Switzerland and the United Kingdom. Since adequacy determinations are issued on a country-by-country basis, companies transferring data to ex-EEA countries with no adequacy determination will still need to rely on other mechanisms for such data transfers to be legally valid. The most common adequate mechanism used for these ex-EEA transfers is the 2021 Standard Contractual Clauses and an accompanying requirement to conduct a data transfer impact assessment prior to the transfer.
Questions?
Please contact Dave Feder, Tyler Newby, Heba Tawadross, Samantha Ong or any member of Fenwick’s Compliance Team and/or any member of Fenwick's Privacy & Cybersecurity Practice.