Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
International: Reactions to the US Executive Order implementing the EU-US DPF
The White House announced, on 7 October 2022, that U.S. President Joseph Biden, had signed, on the same date, the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which directs the steps that the US will take to implement its commitments under the European Union - U.S. Data Privacy Framework ('EU-US DPF'), as announced in March 2022. In response to the Executive Order, the European Commission released its Questions and Answers ('Q&As') and announced that it will now prepare a draft adequacy decision, as well as launch its adoption procedure, a process which could take up to six months.
You can read the full story here.
Since the announcement, various data protection authorities and industry bodies have published their first reactions. OneTrust DataGuidance has cumulated some of these responses below.
Data protection authorities and government bodies
UK
The UK Secretary of State for Digital, Culture, Media and Sport and the US Secretary of Commerce issued, on 7 October 2022, a joint statement, confirming plans for the UK to review the order and to prepare for an adequacy decision for UK-US data flows in early 2023.
You can read the full story here.
Switzerland - FDPIC
The Federal Data Protection and Information Commissioner ('FDPIC') issued, on 7 October 2022, a statement taking note of the signature of the order, regulations, factsheet and Commission's Q&As, stating that it is currently analysing the same.
You can read the statement here.
Denmark - Datatilsynet
The Danish data protection authority ('Datatilsynet') published, on 7 October 2022, its statement on the order, outlining that it is not itself a basis for transfers of personal data, until the Commission has approved an assessment that, overall, states that there is a sufficient level of protection for personal data in the US. Furthermore, Datatilsynet indicated that the collection of personal data must be proportionate and limited to what is strictly necessary, and EU citizens who have their personal data processed by US intelligence services must have access to effective legal remedies, including an independent appeals body.
You can read the statement, only available in Danish, here.
Other
NOYB
None of your business ('NOYB') released, on 7 October 2022, a statement in which it issued its first reaction to the order. In particular, NOYB concluded that the order would be unlikely to satisfy EU law and outlined various concerns upon initial inspection. Crucially, NOYB stated that, should the decision of the Commission not remain in line with EU law and the relevant Court of Justice of the European Union ('CJEU') judgments, NOYB will likely bring another challenge before the CJEU.
You can read the full story here.
Future of Privacy Forum
The Future of Privacy Forum ('FPF') issued, on 7 October 2022, a statement from its CEO, Jules Polonetsky on the order. In particular, Polonetsky's statement welcomed the order, but noted that important legal discussions must take place regarding the exact nature of the judicial redress and oversight mechanism, restrictions on bulk collection, and the reciprocity requirement for redress, which requires any country to implement safeguards for US citizens' data to benefit from the system.
You can read the statement here.
EPIC
The Electronic Privacy Information Center ('EPIC') released, on 7 October 2022, a statement in which it issued its first reaction to the order. In particular, EPIC provided that the order would be unlikely to satisfy the CJEU standards for privacy protection. More specifically, EPIC noted that while the order does provide some privacy safeguards, it does not fully bar the use of bulk collection methods by US intelligence agencies. Likewise, EPIC also detailed the complexity of the redress mechanism and the lack of any notice provisions.
In addition, EPIC Executive Director, Alan Butler stated that "The new Data Protection Review Court is a step in the right direction, but the Administration must ensure that existing barriers to redress - such as notice, excessive secrecy, and undue deference to national security authorities - do not continue to stymie independent, meaningful efforts to vindicate privacy rights".
You can read the statement here.
TACD
The Transatlantic Consumer Dialogue ('TACD') released, on 7 October 2022, a statement in which it issued its first reaction to the order. In particular, the TACD stated that following its first analysis of the order, it had found that the new measures would not provide adequate protection to European consumers' fundamental privacy and data protection rights established under the EU Charter of Fundamental Rights and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). More specifically, the TACD noted the following with regard to the inadequacy of the new measures introduced by the order:
- though the wording of the order includes 'proportionality', it does not establish any mechanisms to limit the US mass surveillance systems in place and as such fails to solve the issue of the lack of proportionality of the US surveillance laws and practices; and
- the order does not provide for real judicial redress to European consumers, since the 'Data Protection Review Court' included in the two-step mechanism for redress established therein, might not be a judicial body, but a body within the US government's executive branch.
As such, the TACD urged the European Commission not to adopt a new adequacy decision without further changes to the order, and noted that it will further analyse the new order in detail and will issue a set of recommendations on the same.
You can read the statement here.
ACLU
The American Civil Liberties Union ('ACLU') released, on 7 October 2022, a statement in which it issued its first reaction to the order. In particular, the ACLU concluded that the order does not meet basic legal requirements in the EU, noting that that the order without more cannot cure the deficiencies of the US surveillance regime. Moreover, Senior staff attorney at the ACLU, Ashley Gorski, stated that "to protect our privacy and to put transatlantic data transfers on a sound legal footing, Congress must enact meaningful surveillance reform". Furthermore, the ACLU is calling on Congress to radically reform US surveillance laws to rein in warrantless spying, and to ensure that there is a meaningful opportunity to challenge the government's surveillance, noting that the following reforms are necessary to include:
- ending bulk, generalised data collection conducted under Executive Order 12333;
- narrowing the categories of persons who may be targeted using surveillance under Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333; and
- ensuring that individuals impacted by US surveillance are able to challenge improper surveillance in US courts, including by reforming the 'state secrets privilege'.
You can read the statement here.
BBB
The BBB National Programs ('BBB') issued, on 7 October 2022, a statement from its Vice President, Dona Fraser, on the Executive Order. In particular, the BBB praised the the U.S. Department of Commerce, and their counterparts in the European Commission for lifting the cloud of uncertainty that has been hanging over Privacy Shield for more than two years. Moreover, the BBB highlighted that they are ready to ensure that businesses that have opted to remain self-certified to Privacy Shield will experience a smooth transition to the EU-U.S. Data Privacy Framework Principles.
You can read the press release here.
UPDATE (11 October 2022)
BEUC
The European Consumer Organisation ('BEUC') published, on 7 October 2022, its opinion on the EU-US DPF. In particular, the BEUC took the view that the EU-US DPF is likely still insufficient to protect EU citizens' privacy and personal data when it is transferred to the US. More in detail, the BEUC noted that most of the measures proposed by the order are aimed at addressing the Court of Justice of the European Union's concerns regarding U.S. Government surveillance. However, the BEUC continued, there are no substantial improvements to address issues related to the commercial use of personal data, an area where the previous agreement, the EU-US Privacy Shield, fell short of the GDPR's requirements.
As such, the BEUC reasoned that there are still fundamental differences in the level of privacy and data protection in the US and the EU which remain too large to make up for, despite the additional safeguards the US side is proposing to build in.
You can read the announcement here and the opinion here.
Chamber of Commerce
The U.S. Chamber of Commerce issued, on 7 October 2022, a statement welcoming the order. In particular, U.S. Chamber Executive Vice President and Head of International Affairs, Myron Brilliant, declared, "Today's executive order implementing the EU-U.S. Data Privacy Framework represents an important commitment to ensure stability, predictability, and accountability to data flows and the transatlantic relationship. These actions are critical to providing companies of all sizes the legal certainty they need to transfer, analyze, and utilize data on both sides of the Atlantic. Given the depth and breadth of the transatlantic economic partnership-and the volume of trade and investment facilitated by data transfers-this new framework between the U.S. and EU is vitally important".
You can read the press release here.
UPDATE (12 October 2022)
ITI
The Information Technology Industry Council ('ITI') issued, on 7 October 2022, a statement welcoming the order. In particular, the ITI stated that the order and DPRC Regulations will help stabilise transatlantic data flows via transfer mechanisms such as Standard Contractual Clauses ('SCCs') that were thrown into doubt following the annulment of the Privacy Shield. Specifically, the ITI noted that its President and CEO Jason Oxman highlighted that, "today's actions will help restore business certainty and safeguard continuity of key business operations as data moves across the Atlantic, while also upholding European citizens' fundamental rights, and the security and public safety interests of the US, EU, and other qualified states. We appreciate the Biden Administration's attention to this critical issue and look forward to working with the EU to implement the EU-U.S. Data Privacy Framework over the coming months."
You can read the statement here.
U.S. Department of Commerce
The U.S. Department of Commerce published, on 7 October 2022, a statement from U.S. Secretary of Commerce Gina Raimondo on the order, outlining that the EU-US Data Privacy Framework represents the culmination of joint efforts by the US and the Commission to restore trust to transatlantic data flows. In addition, Gina Raimondo deemed as robust the commitments enshrined in the new EU-US Data Privacy Framework, explaining that it fully addresses the Court of Justice of the European Union's Schrems II decision. Lastly, the U.S. Department of Commerce stated that it will work with current Privacy Shield participants to facilitate the transition to the updated privacy principles under the new EU-US Data Privacy Framework.
You can read the statement here.
UPDATE (27 October 2022)
LfDI Baden-Württemberg
The Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') released, on 26 October 2022, a statement on the order. In particular, the LfDI Baden-Württemberg outlined that, in principle, it welcomes the fact that the U.S. Government is taking action with regard to data transfers. However, the LfDI Baden-Württemberg observed considerable legal ambiguity. In this regard, the LfDI Baden-Württemberg noted that the question arises as to the extent to which an executive order can actually be an effective instrument for implementing the requirements of the GDPR, further explaining that the order represents an internal instruction to the Government and subordinate authorities and is not a law that has been passed by a legislator, and is therefore final. In addition, the LfDI Baden-Württemberg reminded that compliance with an executive order is not legally enforceable, especially for EU citizens. Moreover, the LfDI Baden-Württemberg criticised the Data Protection Review Court, questioning its judicial independence.
You can read the statement, only available in German, here.
UPDATE (29 November 2022)
HmbBfDI
The Hamburg Commissioner for Data Protection and Freedom of Information ('HmbBfDI') released, on 29 November 2022, a statement outlining the content and effects of the Executive Order. Specifically, the HmbBfDI explained that, currently, nothing decisive has changed in the legal situation in the US, highlighting that the Executive Order provides for a transitional period of up to one year for US secret services to integrate the guarantees provided for in the legal act into their practical work. In this regards, the HmbBfDI took the view that such integration will likely take several months, especially in relation to the new requirement to restrict data access to a reasonable level and the creation of a complaints body and the Data Protection Review Court. Further to this, the HmbBfDI reminded that, for the time being, access powers in the US continue to go beyond what is required in a democratic society.
Separately, the HmbBfDI noted that, when examinating the Executive Order, the Commission will face the challenge of evaluating an abstract legal text that is not yet put into practice.
You can read the press release, only available in German, here.
UPDATE (15 December 2022)
Parliament Think Thank
The European Parliament Think Thank published, on 14 December 2022, a briefing entitled 'Reaching the EU-US Data Privacy Framework: First reactions to Executive Order 14086'. In particular, the briefing examines the Executive Order and its accompanying regulation as the first building block of a new EU-US DPF. Notably, the briefing outlines that views on the EU-US DPF diverge. Specifically, the briefing explains, critics submit that the requirements used to limit signals intelligence activities are susceptible to liberal interpretation and, in parts, open to secret amendments by the U.S. President, while also calling into question the independence and effectiveness of the redress mechanism on account of its integration with the executive branch and transparency deficits.
You can read the press release here and the briefing here.
How OneTrust DataGuidance can help
Join OneTrust DataGuidance and Sidley Austin LLP for a reactionary webinar, where we will recap the timeline leading to this development and analyze the implications of this new EU-US Data Privacy Framework.
You can register for the webinar here.