The newly released White House executive order implementing the long-awaited EU-U.S. Data Privacy Framework clears a path for trans-Atlantic business and diplomacy alike. Since the Court of Justice of the EU’s “Schrems II” decision invalidated Privacy Shield more than two years ago, personal data flows from the EU to the U.S. have been legally questionable. Some might argue, data transfers were effectively banned.

Enforcement actions have only trickled out, but their precedential and deterrent impact has been significant. That caused havoc for major U.S. technology firms under the microscope in Europe, but led mainly to head-spinning confusion, higher legal costs and a more limited selection of service providers for smaller firms. Friday’s executive order and Department of Justice regulations change that context, providing protections aimed at rebuilding trust and trade across the Atlantic.

Here’s an initial look at what these new rules say, how they work and what comes next as the adequacy review process proceeds. 

What’s in a name?

You are excused if you were confused by the name of this new framework. When U.S. and EU leaders reached an agreement in principle in March on a new accord to address the CJEU’s concerns with Privacy Shield, they called it the “Trans-Atlantic Data Privacy Framework.” Officials made clear at the time the name covered only protections in the national security sphere, which were separate from the commercial Privacy Shield Principles.

This new name covers the full accord, including the protections and newly created redress mechanism governing U.S. signals intelligence activities and the commercial principles to which U.S. companies can self-certify.

The substance and structure

The new DPF includes three components: commercial data protection principles to which U.S. organizations may self-certify, a presidential executive order and DOJ regulations.

The commercial piece

Since the CJEU did not call into question Privacy Shield’s commercial principles, most stakeholders thought these would go untouched. While U.S. authorities noted the changes, which are still being finalized, should not significantly affect existing Privacy Shield participants’ substantive obligations, they are important.

And since the Privacy Shield Principles were negotiated while the EU General Data Protection Regulation was being finalized, they reflected its substantive provisions, but still referenced the 1995 EU Data Protection Directive. U.S. authorities indicated the new DPF will update all references in the commercial principles to refer to the GDPR directly.

Privacy Shield participants should stay tuned for further updates and guidance from the U.S. Department of Commerce on how to reflect these changes in privacy policies and their self-certification down the line.

Organizations should note this changes the definition of personal data under the commercial principles, which will link to that of the GDPR rather than the Directive. Privacy Shield participants should stay tuned for further updates and guidance from the U.S. Department of Commerce on how to reflect these changes in privacy policies and their self-certification down the line.

The national security pieces

Taken together, the executive order and DOJ regulations aim to address the two failings the CJEU cited in invalidating the Privacy Shield: lack of necessity and proportionality limits on U.S. surveillance programs and insufficient redress rights to challenge unlawful government surveillance. Both the substance and legal structure of these components matter under the CJEU’s essential equivalence test.

Necessity and proportionality under the executive order

The executive order requires U.S. intelligence authorities to limit U.S. signals intelligence activities to what is necessary and proportionate. This is a direct response to the first of the two tests for EU adequacy that the CJEU found the Privacy Shield failed. The Schrems II decision states that “[n]either Section 702 of the FISA, nor E.O. 12333, read in conjunction with PPD-28, correlates to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary.”

Substantively, the executive order imposes necessity and proportionality limits first by mandating them explicitly, then by explaining what that mandate means and finally by prescribing oversight mechanisms to verify intelligence agencies follow the new rules. It states:

[quote]Sec. 2 (a)(i)(A) signals intelligence activities shall be conducted only following a determination, based on a reasonable assessment of all relevant factors, that the activities are necessary to advance a validated intelligence priority, although signals intelligence does not have to be the sole means available or used for advancing aspects of the validated intelligence priority; and

(B) signals intelligence activities shall be conducted only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized, with the aim of achieving a proper balance between the importance of the validated intelligence priority being advanced and the impact on the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside.[/quote]

It then explains what this means in practice, placing explicit guardrails around permissible collection activities and impermissible ones (see Sec. 2(c)). These safeguards address what signals intelligence can be collected, how it can be used and shared, and how long it can be maintained, among other elements.

The executive order then delineates 12 “legitimate objectives,” such as “protecting against threats to the personnel of the United States or of its allies,” with which signals intelligence activities must align, and “four prohibited objectives,” such as “suppressing or burdening, criticism, dissent or the free expression of ideas or political opinions” (see Sec. 2(b)).

Finally, it prescribes oversight mechanisms. These include requiring the Civil Liberties Protection Officer of the Office of the Director of National Intelligence to regularly assess whether intelligence priorities pertaining to signals intelligence activities stray outside of these bounds, mandating that each element of the intelligence community have in place a Privacy and Civil Liberties Officer and Inspector General with oversight authority that is not improperly influenced, and requiring training on the executive order.

While “necessary” and “proportionate” might seem the squishiest of terms, in this realm they have weight.

Necessity and proportionality were long perceived as EU-centric terms tied to long histories of CJEU and European Court of Human Rights jurisprudence, which the U.S. could not accept and struck from any multilateral texts during the drafting stages. Embracing these terms is a clear shift that could place the EU and the U.S. on the same side of the table in future multilateral negotiations on privacy and surveillance. They now supplement the long-preferred “reasonableness” standard under U.S. law, which can be found in the 2016 ODNI letters in the original Privacy Shield Framework.

Structurally, under the U.S. legal system, executive orders carry the force of law. As a result, these new requirements will now circumscribe U.S. intelligence activities and be translated into intelligence agencies’ policies, procedures and practices. While many executive orders are long lasting (the first version of EO 12333 was adopted in 1981), some stakeholders expressed a preference for a legislative alternative, worrying that an executive order could be overturned more easily by a future president.

The European Commission may tie its adequacy determination to maintenance of the legal protections on which it is based, as it did in its recent U.K. decision, which could address this longevity concern.

The Data Protection Review Court and DOJ regulations

The executive order is paired with DOJ regulations to create a two-step redress system, including a new Data Protection Review Court, to process complaints concerning the legality of U.S. signals intelligence activities transmitted from “qualifying states” for covered violations of U.S. law.

This system is designed to address the second core requirement of essential equivalence the CJEU found lacking in Privacy Shield and U.S. legal system. Specifically, the CJEU decision states that there is “a lacuna in judicial protection in respect of interferences with intelligence programmes” and that “neither PPD-28 nor E.O. 12333 grants data subject rights actionable in the courts against the U.S. authorities, from which it follows that data subjects have no right to an effective remedy.” The decision then explains that the Privacy Shield Ombudsman fails to address the cited shortfalls because it lacks power to adopt decisions that bind intelligence authorities and independence from the executive, since the Ombudsman may be dismissed.  

Substantively, this begins with the attorney general’s designation of countries or regional economic groups as “qualifying states,” which requires that they meet the following tests:

  • Their laws require appropriate safeguards for signals intelligence activities for U.S. persons’ personal information transferred from the U.S. to their territories.
  • They permit, or are expected to permit, the transfer of personal information for commercial purposes between their territory and the U.S.
  • The designation would advance U.S. national interests.

The Director of National Intelligence’s Civil Liberties Protection Officer serves as the first tier of the redress system. The CLPO will receive and investigate individuals’ claims submitted via an appropriate public authority in a qualifying state. If a legal violation is identified, the CLPO must determine appropriate remediation.

The executive order mandates that the intelligence community cooperate with the CLPO’s investigation and comply with any remedial action prescribed. The order also bolsters the CLPO’s independence, protecting her from influence and removal.

Following an investigation, the CLPO must provide a classified report of any violation to the attorney general for national security who reports violations to the Foreign Intelligence Surveillance Court. The CLPO then informs the complainant that “the review either did not identify any covered violations or the Civil Liberties Protection Officer of the Office of the Director of National Intelligence issued a determination requiring appropriate remediation.”

While this might seem little more than neither confirming nor denying, this type of notice is modeled on practice in the EU when classified information is at issue.   

Once the CLPO’s investigation concludes, an individual may apply for review of the CLPO’s decision to the newly created Data Protection Review Court, which is the second tier of this redress system.

The executive order requires the attorney general to establish the DPRC by issuing regulations delegating the attorney general’s own authority to review such decisions. The DOJ issued these regulations today.

The DPRC will consist of three judges per case empaneled from a roster of individuals from outside government selected by the attorney general with input from the Secretary of Commerce, the Director of National Intelligence and the Privacy and Civil Liberties Oversight Board.

Judges must be members of the bar in good standing, licensed to practice law and have experience in data privacy and national security, with a preference for those with judicial experience. Judges will hold security clearances to access the classified information necessary to investigate the cases. Individual claimants will be provided a special advocate to represent their interests before the DPRC with access to the same classified material as the judges but will not themselves have access to classified material.

Where the DPRC disagrees with the CLPO’s determination, it may issue its own determination and remedial measures, with which the intelligence community must comply.

Finally, both the Department of Commerce and PCLOB play oversight roles. Commerce is charged with consulting with the intelligence community every five years to determine whether information pertaining to these cases has been declassified and can be released, adding an element of transparency.

The PCLOB is encouraged to conduct an annual review of the process, publicly certify whether it is operating as required, and release an unclassified version of the resulting report. The term “encouraged” is likely used because as an independent agency whose mission is prescribed by Congress, the president may not mandate that the PCLOB do this. However, the PCLOB released a statement indicating that it “plans to accept the advice and oversight roles envisioned.”

While the substance of these rights is significant, negotiators’ greatest challenge was not securing the political will to grant them, but rather identifying a workable legal structure to implement them. EU and U.S. negotiators had to overcome the CJEU’s independence and power critiques, while recognizing that U.S. constitutional jurisprudence requires proof of “injury in fact” for standing to sue in U.S. courts, a difficult bar to meet when surveillance is often secret.

It is likely the standing hurdle that led negotiators to place this new court in the executive branch, where redress can proceed without the claimant needing to meet that standing bar, as advocated during negotiations by various privacy experts.

The use of DOJ regulations to create the new DPRC is designed to provide the stipulated independence. Both the executive order and the regulations explicitly prohibit the attorney general from interfering in the exercise of his delegated legal authority and protect the judges from dismissal. The executive order plays the larger role in addressing the CJEU’s power critiques by explicitly directing U.S. intelligence agencies to comply with any remedial measures stipulated by the DPRC.

What’s next?

The adequacy process

The European Commission will now launch its adequacy assessment. That process, as depicted here, requires the commission to put forward a draft adequacy determination, the EDPB to issue a nonbinding opinion, EU member states to vote to approve the decision, and the European Commission College of Commissioners to formally adopt it. The European Parliament may also weigh in with a non-binding resolution at any stage.

Historically, this process has taken four or five months once the commission finalizes its draft.

Following an adequacy determination, companies could self-certify to the DPF’s commercial principles, eliminating the challenges and uncertainty associated with transfer impact assessments and supplementary measures.

As important, DPF national security protections apply regardless of which GDPR-recognized commercial data transfer mechanism companies select. This means that companies using standard contracts, derogations, and Binding Corporate Rules should be able to rely on the adequacy determination as it relates to U.S. government access, avoiding the uncertainty associated with assessing U.S. government access protections here as well.

In the interim

Having waited 26 months, privacy professionals are undoubtedly asking, “really, this will take more time? What happens in the interim?”

Legally, until an adequacy determination is granted, companies should continue to follow the European Data Protection Board’s recommendations on measures that supplement transfer tools.

But, once the EU is named as a “qualifying state” (assuming it will be) and complaints can be summited, this should become less daunting. The EDPB recommendations state that companies must “assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.”

The EDPB continues to note that supplementary measures are “only necessary if your assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool.” The fact that the U.S. gave the DPF the force of law, that the European Commission stated that “the Executive Order introduces new binding safeguards to address all the points raised by the Court of Justice of the EU” and is designed to provide “a durable and reliable legal basis for transatlantic data flows,” and that it will now launch its adequacy process makes clear that U.S. and EU government officials believe that this framework meets EU standards of essential equivalence.

While companies cannot yet legally rely on that positive assessment of U.S. government access protections, it provides welcome reassurance. At a minimum, while we wait for EU data protection authorities and member states to weigh in, privacy professionals should breathe a little easier.

DPAs themselves could face as complex a challenge, determining how the changed legal context affects ongoing investigations and even decisions in interim stages, while the adequacy process proceeds. Their first opportunity for discussion could come as early as Monday, Oct. 10, given the previously scheduled EDPB plenary meeting.

After the fact

Adequacy might be more of a starting point than an end game. Eyes will soon turn to both the U.K. and Switzerland.

Sitting outside the EU, both the U.K. and Switzerland recognized Privacy Shield previously. U.K. officials have been open about their engagement with U.S. officials on the planned protections with an eye toward their own assessment. In 2021, the U.K. listed the U.S. on their priority list of destinations for adequacy. The U.K. has also led OECD efforts to develop trusted principles for government access to private-sector data, which has clear overlaps with the work of EU and U.S. negotiators. Finally, the U.K. has joined governments in Asia-Pacific Economic Cooperation and beyond in expressing interest in the Global Cross Border Privacy Rules System.

With Commerce Secretary Gina Raimondo in London Oct. 7, we could see the U.K. make data transfer news of its own.

The EU-U.S. Data Privacy Framework itself will also be tested by individuals and scrutinized by regulators, courts and the public at large almost immediately, as were past agreements — something the negotiators themselves certainly expect. The 26 months it took to get here were presumably aimed at preparing it to withstand these challenges.

The question now is whether this cycle of break and rebuild will become perpetual or instead serve as a building block for broader multilateral collaboration or even progress on U.S. federal legislation to make U.S. commercial data protections as binding for individuals regardless of nationality or residence, as are their new national security equivalents.