The wait for a finalized agreement to solidify EU-U.S. data flows is winding down. The latest step forward in the process came with U.S. President Joe Biden's long-awaited executive order mandating new legal safeguards over U.S. national security agencies' access and use of EU and U.S. personal data.
The order comes more than six months after Biden and European Commission President Ursula von der Leyen announced an agreement in principle on the EU-U.S. Data Privacy Framework. Talks for that agreement began in August 2020 after the preceding agreement, the EU-U.S. Privacy Shield, was invalidated by the Court of Justice of the European Union a month earlier.
According to the White House fact sheet, the order "bolsters an already rigorous array of privacy and civil liberties safeguards for U.S. signals intelligence activities. It also creates an independent and binding mechanism enabling individuals in qualifying states and regional economic integration organizations, as designated under the (executive order), to seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law."
The European Commission published a Q&A outlining the U.S. order and announced its intentions to "prepare a draft adequacy decision, as well as launch its adoption procedure" based on the new U.S. commitments. That ratification process could take up to six months, meaning March 2023 is the latest the Data Privacy Framework could be finalized if not earlier.
IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, who was former Privacy Shield director for the U.S. Department of Commerce, wrote a deeper analysis of the U.S. order here.
The US portion of the bargain
The order aims to reconcile the CJEU's issues with EU consumer redress and determination of necessity and proportionality associated with U.S. national security checks. The commitments that will be executed appear to address those roadblocks.
Chief among the new mandates is the creation of a "multi-layer mechanism" to allow individuals to "obtain independent and binding review and redress." The latter-half of that mechanism will be carried out through a Data Protection Review Court established by the U.S. Department of Justice.
"Critics who say this is a re-run of Privacy Shield are incorrect. The new U.S. redress system creates independent investigations and decisions on complaints, and binding orders on the U.S. intelligence community," said Alston & Bird Senior Counsel Peter Swire, CIPP/US, who co-authored an article on a potential workable redress mechanism.
Additionally, there are new safeguards focused on purpose limitation and necessity that U.S. national security entities must add to their policies and procedures. Agencies will also be staked to new data-handling requirements that extend "the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance."
The U.S. Privacy and Civil Liberties Oversight Board has been tasked to review agencies' policies and procedures to "ensure that they are consistent with the executive order" and to conduct annual reviews of the redress process.
Hogan Lovells Partner Eduardo Ustaran, CIPP/E, said the order presents as "very mindful of the limits sought by the CJEU" while not being misconstrued as a mere "declaration of democratic principles."
"The requirements imposed on the intelligence community to update their policies and procedures to reflect these safeguards will bring to life the aspirations they pursue, which is what matters at the end of the day," Ustaran added.
The fate of the two EU-U.S. data agreements — Privacy Shield in 2020 and the Safe Harbor framework in 2015 — came down to legal challenges from Max Schrems, honorary chairman of EU-based NGO NOYB. Following the release of the U.S. order, Schrems has made initial indications a third challenge is likely.
"The EU and the U.S. now agree on use of the word 'proportionate' but seem to disagree on the meaning of it," Schrems said in an NOYB statement. "In the end, the CJEU's definition will prevail — likely killing any EU decision again. The European Commission is again turning a blind eye on U.S. law, to allow continues spying on Europeans."
Spotlight on redress court
In a statement, the Department of Justice said, "The DPRC will independently review determinations made by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence in response to qualifying complaints sent by individuals through appropriate public authorities that allege certain violations of United States law in the conduct of United States signals intelligence activities."
The White House said judges will be non-U.S. government appointments who "have relevant experience in the fields of data privacy and national security."
The European Commission's Q&A alluded to the significant change the first-of-its-kind redress court and the overall redress system brings to the protection of EU citizens' data.
"These are significant improvements, compared to the mechanism that existed under the Privacy Shield," the Commission said. "At that time, individuals could turn to an Ombudsperson, which was part of the U.S. State Department and did not have similar investigatory or binding decision-making powers."
Access Now Global Data Protection Lead Estelle Massé, CIPP/E, said the concept for improving consumer remedy is positive, but the plan to establish the court is filled with holes. She mentioned perceived ambiguity around the "special advocate" assigned to individual claims and the potential for appeals to DPRC decisions, but was most concerned with DPRC's status as a constitutional court.
"The creation of the Data Protection Review Court is confirmed but it does not appear to be a 'court' in the sense of Article III of the U.S. Constitution, since only the U.S. Congress has the power to create such entities. This raises questions in relation to the concrete independence of the created court," Massé said.
The business effects
For more than two years companies were left to tread lightly with data flows as U.S. and EU officials tried to find a path forward. Without a definitive framework in place, organizations had no word on whether their compliance obligations for data transfers were sufficient or would require change.
"This is a very welcome development as companies alone were not in a position to offer these protections," Hintze Law Partner Jennifer Ruehr, CIPP/US, said. "This will be a huge burden lifted for U.S. companies who have operations in Europe as they now have concrete assurances that they can provide to customers and use to inform transfer impact assessments."
With respect to business obligations, U.S. Chamber of Commerce Senior Vice President for Europe Marjorie Chorlins said, "Today's announcement represents a commitment by the U.S. government, that doesn't materially change the obligations companies are already under with regard to privacy and data flows."
Companies that remain certified under the Privacy Shield program administered by the Department of Commerce's International Trade Administration are also breathing a sigh of relief based on what's included in the U.S. order. BBB National Programs Senior Vice President, Privacy Initiatives Dona Fraser said member companies that are Privacy Shield certified and participating in BBB National's self-regulatory program "are well positioned for a smooth transfer" to the next EU-U.S. agreement.
"Knowing that we still have a long road ahead of us to the launch of the new EU-U.S. Data Privacy Framework Principles for Privacy Shield, we do not see any new obligations for our Privacy Shield companies with regard to transfer practices," Fraser said. "The surveillance issue was the first hurdle and it was a huge one to overcome. The U.S. has done its part and we look forward to the next steps in bringing Privacy Shield back online to the over 5,000 companies that recognize the value of accountability."
Hunton Andrews Kurth Partners Lisa Sotto, CIPP/US, CIPM, FIP, PLS, and Aaron Simpson added, "Companies that are currently certified to the Privacy Shield framework are the lucky ones. They will be able to take advantage of the revamped Shield to transfer data to the U.S. without having to navigate the complexities of standard contractual clauses for those transfers. They may need to use (standard contractual clauses) anyway to transfer data legally to other jurisdictions, but at least the U.S. data transfers will be covered by a much simpler — and equally protective — transfer mechanism."
The IAPP is publishing these frequently asked questions and links to relevant resources from government authorities and privacy practitioners as a resource for privacy professionals working to respond to this significant court decision.
If you want to comment on this post, you need to login.