It’s the hope that kills you: The next stage in EU-US Data transfers

Ted Lasso may be one of the US’s most famous recent fictional exports to this side of the Atlantic, but it is transfers in the other direction that recently made headlines. On 7 October 2022, the President of the United States of America Joe Biden signed the “Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities” (the “Executive Order”). The Executive Order, along with regulations issued by the Attorney General, relate to the implementation of the new EU-U.S. Data Privacy Framework (the “Privacy Framework”) which aims to facilitate the continued transatlantic free flow of data. The Privacy Framework, agreed in principle between the EU and the US in March 2022, aims to fill the void which was left after the 2020 Schrems II decision of the Court of Justice of the EU (“CJEU”), invalidating the Privacy Shield, a previous legal framework for EU-US data flows, due to its insufficient protection of EU data subjects’ rights. It also follows the European Commission’s adoption in June 2021 of new-form standard contractual clauses to address some of the points made by the CJEU with respect to the old SCCs in the Schrems II judgment.

The purpose of this Executive Order and the Privacy Framework generally is, in essence, to enable organisations to transfer, or to continue transferring, personal data to the US from the EU whilst being confident that the personal data is receiving protections meeting the standards as would be required if the data were to remain in the EU – but also confident that the new mechanisms bringing that about will stand up to the scrutiny of the CJEU. Here, we consider what those new mechanisms are and whether those dual purposes shall be met.

The Executive Order: Main changes

The Executive Order, as well as the accompanying regulations, implement certain of the commitments made by the US in March 2022. The Privacy Framework contains significant improvements on the Privacy Shield, focusing in particular on new safeguards in the area of government/law enforcement agency access to data and the implementation of requirements on US companies in respect of importing data from the EU.

The Executive Order itself is comprised of two main parts. Firstly, for Europeans whose personal data is transferred to the US, the Privacy Framework provides for binding substantive safeguards that limit access to data by US intelligence authorities. Authorities will be required to take into account each individual’s privacy and civil liberties, and access to data will only be permitted, for surveillance purposes, to the extent the surveillance is necessary and proportionate in pursuit of defined national security objectives. Such objectives include assessing the capabilities of a foreign government, military, political organisation, or its agent to protect the national security of the US or its allies, assessing transnational threats to global security, combatting terrorism and hostage crises, and protecting against espionage and cybersecurity threats. The Executive Order also establishes handling requirements for data collected for surveillance purposes and establishes a number of prohibited objectives for which intelligence activities may not be pursued.

The second part of the Executive Order provides for a new multi-layered redress mechanism to address complaints relating to data collection. The mechanism will allow data subjects who believe their data has been unlawfully processed to seek redress from a Civil Liberties Protection Officer (“CLPO”) of the US intelligence community, who is responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights. The Framework then permits the appeal of a decision made by a CLPO to a newly-established independent Data Protection Review Court. This represents a contrast to the mechanism that existed under the Privacy Shield, which contained a redress system that only permitted an appeal to a US State Department Ombudsperson, who held no investigatory or binding decision-making powers.

The third piece of the puzzle is commercial data protection principles to which U.S. organisations may self-certify as part of the new regime. The Privacy Framework also updates the privacy principles that companies previously adhered to under Privacy Shield and renames them as the “EU-U.S. Data Privacy Framework Principles”. Since the Schrems II judgment did not significantly call into question Privacy Shield’s commercial principles, the changes do not materially affect the obligations which participants of the Privacy Shield previously undertook.

It is, primarily, the greater restrictions placed on law enforcement agencies’ abilities to access EU personal data and the strengthened redress procedures that form the basis of this proposal to align US and EU data protection regimes.

Next steps

At a basic level, the GDPR restricts the transfer of personal data outside the EU. However, the European Commission can adopt “adequacy decisions” thereby allowing personal data to flow freely between exporters and importers if it is considered that an “adequate level of protection” is being provided for personal data in the importing country. Adequacy decisions can remove the need to rely on additional transfer mechanisms (such as standard contractual clauses) or one of the derogations set out in the GDPR.

The European Commission is currently reviewing the Privacy Framework with a view to preparing a draft adequacy decision and commencing the adoption procedure. This process involves the submission of the European Data Protection Board (“EDPB”) of a draft adequacy decision for review to a committee composed of representatives of the EU member states. The European Parliament also has a right of scrutiny over adequacy decisions. Following committee review, the European Commission can then adopt a final adequacy decision. This process is likely to take several months, during which time organisations conducting EU-US data transfers must continue to rely on alternative data transfer mechanisms.

If the US is approved as a country with data adequacy, organisations transferring data from the EU to the US (and that are certified under the Privacy Framework) will no longer be required to separate data transfer mechanisms to provide additional safeguards.

Transfers to countries that have not received an adequacy decision (including the United States following Schrems II) must utilise “appropriate safeguards” for the protection of personal data through a valid data transfer mechanism, such as the Standard Contractual Clauses (“SCCs”). SCCs are clauses incorporated into businesses’ commercial contracts and are currently the most common method to carry out such transfers. As mentioned above, in June 2021 new-form SCCs were approved for use by the European Commission; these place much more onerous obligations on data exporters to verify, prior to any transfer of personal data pursuant to the SCCs, whether data subjects would be granted a level of protection in the receiving country essentially equivalent to that guaranteed within the EU. While the Privacy Framework awaits approval, organisations may still rely on other valid data transfer mechanisms, including SCCs and Binding Corporate Rules, for EU-US data transfers. However, if the Privacy Framework is the subject of a successful adequacy decision, businesses will be able to transfer personal data to the US without the use of SCCs and other separate data transfer mechanisms, if the recipient of the data is certified under the Privacy Framework. Transfers must still, however, comply with all provisions of the applicable data protection legislation and the processing of personal data must be lawful before, during and after the transfer.

Outlook for Privacy Framework

It is arguable that since Schrems II, legally compliant EU-US data transfers have been effectively impossible. Organisations conducting EEA-US data transfers will be hopeful the Privacy Framework can overcome the obstacles raised by Schrems II. However, the Privacy Framework is widely expected to be legally challenged. Activist Max Schrems has already indicated that a challenge is likely, arguing that core issues of the Privacy Shield have not been solved in the new deal and the Privacy Framework fails to provide the needed legal certainty for EU data subjects. He has already issued a press release suggesting that the Executive Order does not satisfy the requirements of Schrems II and it will likely bring another challenge through NOYB, the digital rights organisation he co-founded. It has been further pointed out that the new transfer mechanism was not based on statutory amendments to U.S. surveillance laws, claiming that it does not provide EU data subjects with meaningful avenues for judicial redress.

In its judgment in the Schrems II case, the CJEU previously invalidated a decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield. The CJEU arrived at this decision finding that the interference with fundamental rights, in relation to the transfers of personal data to the US, had not been sufficiently restricted meeting EU data protection requirements. It has been suggested that the newly proposed framework is unlikely to withstand legal challenge for a number of reasons, including to its close resemblance to the Privacy Shield, the fact that that executive orders are, by their nature, capable of alteration or retraction by future administrations (making the Executive Order an unreliable basis for the Privacy Framework) and the fact that there remains a general absence of any federal data protection law in the US, calling into question how the Privacy Framework could ever be regarded as ‘adequate’. The near-inevitability of a challenge, combined with the CJEU’s already-apparent lack of reticence in vindicating EU residents’ data protection rights with respect to exports of their personal data and the patchwork, two-tier nature of the US’s proposed solution via the Privacy Framework means that the realistic view of matters is that, despite the fanfare, this may not come to be a long-term solution.

Conclusion

Ratification of the Privacy Framework by the various EU institutions could take as long as six months, meaning that any resulting adequacy decision would not be approved until at least spring 2023. As such, from a practical perspective organisations that are exporting data outside of the EEA should continue to follow the EDPB’s recommendations on measures that supplement transfer tools, as well as continue to rely on currently valid data transfer mechanisms, to ensure compliance with the EU level of protection of personal data. Arguably, this means continuing to avoid EU to US data transfers where possible. Organisations conducting such transfers are hopeful that the Privacy Framework will be found to propose a data transfer mechanism, as well as adequate safeguards, that can survive the near-inevitable legal challenge. It may not be Ted Lasso’s favourite phrase, but it seems appropriate here: it’s the hope that kills you.