Now that U.S. President Joe Biden has issued an executive order to implement the EU-U.S. Data Privacy Framework, privacy professionals are preparing to resume transferring personal data across the Atlantic without being bound by alternative means, like standard contractual clauses, for the first time in more than two years.
During a session at the IAPP Privacy. Security. Risk. 2022 conference in Austin, Texas, IAPP Chief Knowledge Officer Caitlin Fennessy, CIPP/US, sat down with U.S. Department of Commerce’s International Trade Administration Director Alex Greenstein and American University Washington College of Law Senior Project Director Alexander Joel, CIPP/G, CIPP/US, to discuss the national security and commercial implications of the executive order.
“This executive order is the culmination of a lot of work and great cooperation between the U.S. government and the European Commission,” said Greenstein, who was heavily involved in negotiating the framework on behalf of the U.S. “We're trying to restore trust and stability.”
In terms of national security, Greenstein said the executive order “provides for greater safeguards for foreigners in regard to U.S. signal intelligence.” These provisions were included in the executive order in direct response to the Court of Justice of the EU's "Schrems II" decision, which invalidated the prior Privacy Shield arrangement in 2020, and contain two core components: proportionality in intelligence gathering and an increased role for the U.S. Department of Justice with the Data Protection Review Court.
“Proportionality is one of the issues that was brought by the 'Schrems II' decision (and) updates Presidential Policy Directive 28, (which were) the post-Snowden reforms,” Greenstein said. “So, one of the main elements here is taking into account the privacy and civil liberties of all persons regardless of nationality or residence.”
Joel, the former Chief of the Office of Civil Liberties within the Office of the Director of National Intelligence, said Biden’s executive order was “groundbreaking” in that it codifies the curtailment of certain U.S. intelligence activities in an effort to meet EU adequacy standards.
“The president is tying his own hands and the hands of the national security community in certain ways as specified in the order in a manner that's designed for the binding effect of law in a time where the world is facing a large number of very rapidly changing threats,” Joel said. “Those threats are manifesting themselves, either physically, as Russia invaded Ukraine, as well as on cyber, where we see so much activity that is being discussed in this conference. … But it is a major change that I think is happening in the national security space.”
Greenstein said the new redress mechanism that established the DPRC was the most difficult point of negotiations with the EU because of the previous objections to the lack of independence of the U.S. data ombudsman under the previous Privacy Shield framework. He said the DPRC would comprise retired federal judges and legal scholars who would be independent from the U.S. government.
“At the start we looked at the 'Schrems II' decision as kind of a map for how to make these changes and directly address it in certain ways, and so one of the things in the (Privacy Shield) was the independence and the authority of the (data) ombudsman,” Greenstein said. “So now we’re able to work with full knowledge of the 'Schrems II' decision, and that really has given us a lot more leeway to deal with the rest of those concerns. So, specifically, the redress mechanism throughout (the executive order) includes very robust protections against removal of influence.”
On the commercial side, Fennessy said that while EU-U.S. data transfers weren’t technically illegal, they were “hard to do” under standard contractual clauses between European data protection authorities and U.S. businesses.
Greenstein said now that Biden’s executive order is in effect, he and the negotiating team are working to ensure the new Data Privacy Framework achieves adequacy from the EU.
“Right now, the executive order signed by the president is in force, and so now companies can point to those provisions addressing concerns raised by the (CJEU), and that should provide some relief.” Greenstein said. “We definitely recognize that this has been a very tumultuous and difficult time for industry. … We’re also working to stand up the redress mechanism as quickly possible. My colleagues at the Department of Justice are working quite intensively on that.”
For more on the DPF, Fennessy provided a detailed analysis of the executive order.
If you want to comment on this post, you need to login.