International: Understanding data transfers under the new EU-US Data Privacy Framework
On 7 October 2022, Joseph Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ('the Executive Order'), which directs the steps that the US will take to implement its commitments under the European Union - U.S. Data Privacy Framework ('EU-US DPF'). Mark Francis, Partner at Holland & Knight LLP, traces the history of EU-US data transfer frameworks, and discusses the EU-US DPF and how it will impact businesses.
- The EU-US DPF is based on:
- a new Trans-Atlantic Data Privacy Framework ('TADPF') regarding US intelligence activities; and
- the existing EU-US Privacy Shield framework regarding businesses' commercial activities.
- While the EU-US DPF therefore reflects a number of new safeguards around the U.S. Government's access to, and use of, personal information from the EU, businesses will generally face the same obligations under the EU-US DPF that were imposed by the Privacy Shield program, although there may be some updates.
- It will be two to three years before we know if the EU-US DPF can serve as a long-term solution for EU-US data transfers since it will inevitably be subject to EU legal challenges once implemented.
For many years, data flows from the EU to the US have been subject to legal challenges and regulatory objections in the EU due to concerns that personal information transferred to the US would not receive sufficient privacy protections and could be accessed by US authorities under broad national security laws such, as Section 702 of the Foreign Intelligence Surveillance Act ('FISA') and Executive Order 12333. A resolution of these issues has been desperately sought by many thousands of businesses who need stable and lawful mechanisms for cross-border data transfers to support vital economic ties. EU and US authorities reached an 'agreement in principle' on a new TADPF in March 2022 and have undertaken efforts to implement that agreement since then.
On 7 October 2022, President Biden issued the Executive Order to modify national security practices and resolve the privacy issues raised by EU authorities1. The Executive Order supports a new EU-US DPF negotiated by US and EU authorities with the aim of adopting more robust cross-border privacy protections and overcoming legal challenges in the EU. The U.S. Department of Justice concurrently issued regulations in support of the Executive Order ('the Regulations')2.
In particular, the Executive Order:
- curtails the access and use of EU personal information to specific national security activities and in a manner that does not disproportionately impact privacy rights; and
- implements a complaint mechanism and independent Data Protection Review Court ('DPRC').
Immediately following the release of the Executive Order, the European Commission released a statement indicating that it would proceed with preparing a draft adequacy decision and adoption procedure3. That process will entail an opinion from the European Data Protection Board ('EDPB') and approval by a committee of EU Member State representatives, and potentially a review by the European Parliament.
Importantly, the EU-US DPF should not meaningfully change privacy obligations for businesses complying with, and certified under, the prior Privacy Shield framework, since the key changes agreed-upon under the EU-US DPF are directed at U.S. Government activities.
It will likely be another two or three years before we know if these issues have truly been resolved. US changes in support of the EU-US DPF need to be reviewed by the Commission which will likely issue an adequacy decision sometime in 2023. The Executive Order mandates changes within US intelligence agencies by 7 October 2023, so a final adequacy decision is likely to come after that date. The decision will be challenged by EU privacy advocates, such as Max Schrems, and will need to be upheld by the Court of Justice of the European Union ('CJEU') before businesses can rely on the EU-US DPF as a viable go-forward mechanism for cross-border transfers. Max Schrems already posted on his website that he believes the Executive Order to be insufficient given that the commitment language has different meanings in EU and US jurisdictions and that the administrative DPRC will not have the same powers as a federal court under the judicial branch of the U.S. Constitution4.
On a related front, a joint statement by the US and UK was also released on 7 October 2022, acknowledging the Executive Order and indicating that efforts were well underway to support US-UK data transfers under a similar arrangement and adequacy decision5.
The history of EU-US data transfers in the last two decades has been complex and painful.
- In 1995, the EU enacted binding legislation on the privacy of personal information known as the Data Protection Directive (Directive 95/46/EC of the European Parliament) ('the Directive'). Under the Directive, companies in the EU could not send personal information to countries outside the EU unless they satisfied one of the available transfer mechanisms, one of which is an adequacy decision that the receiving country has sufficient privacy protections in place.
- In July 2000, the Commission approved a 'safe harbour scheme' under which US companies that complied with certain privacy principles and certified accordingly with the U.S. Government were allowed to transfer data from the EU to the US (the 'Safe Harbor') without relying on other available mechanisms, like Standard Contractual Clauses ('SCCs')6.
- An October 2015 decision by the CJEU in the Schrems I case held that the Safe Harbor framework was invalid, finding that the ability of US government agencies to access electronic communications within the US violated EU privacy rights7.
- In February 2016, EU and US authorities agreed to replace the Safe Harbor with a new framework known as the EU-US Privacy Shield (described below)8.
- The Directive was replaced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') as of 25 May 2018, which increased privacy protections for EU residents9.
- On 16 July 2020, in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II Case'), the CJEU held that the Privacy Shield was invalid under the GDPR, citing concerns about US government activities very similar to those raised in its previous decision10.
In the absence of a reliable adequacy decision, businesses have been relying on other transfer mechanisms, including SCCs, Binding Corporate Rules ('BCRs'), and individual consent. For various reasons, however, these mechanisms are not optimal and often increase the contractual and operational burdens of facilitating data transfers. In addition, Max Schrems and other privacy advocates have pursued regulatory and legal proceedings to invalidate some of these other mechanisms for US transfers, with some measure of success, presenting even more uncertainty for businesses.
On 25 March 2022, after extensive negotiations, Commission President von der Leyen and U.S. President Biden announced an agreement in principle to overcome the issues raised by the CJEU in its Schrems II decision11. The agreement included US commitments to implement reforms that strengthen privacy and civil liberties protections in regard to US signals intelligence activities.
The recently released Executive Order and Regulations in support of the TADPF, coupled with the existing Privacy Shield, form the EU-US DPF that will hopefully gain an adequacy decision in the EU and survive the legal challenges that doomed the first two frameworks.
The Privacy Shield framework
The Privacy Shield framework was approved by the Commission on 16 July 2016 as a replacement to the Safe Harbor invalidated in Schrems I. The framework is designed around seven primary Privacy Shield Principles12:
- notice: individuals must be informed on how their information is collected and used;
- choice: individuals can opt out of the collection and transfer of their information;
- accountability for onward transfer: third parties who receive the information must be subject to the same data protection principles;
- security: reasonable efforts must be made to protect the information;
- data integrity and purpose limitation: collected information must be relevant and reliable for its intended purpose;
- access: individuals must be able to access their information, and correct or delete it if inaccurate or used in violation of the principles; and
- resources, enforcement, and liability: there must be effective means of enforcing these rules.
A set of 16 supplemental principles are also binding and cover a variety of topics, such as sensitive data, exceptions, liability, due diligence and audits, certification, and handling of specific types of data. The Privacy Shield also establishes rules for dispute resolution so individuals can seek recourse for unresolved claims.
The Privacy Shield program is operated by the U.S. Department of Commerce. A business that wants to operate under the Privacy Shield as a lawful basis to transfer EU personal information to the US must:
- confirm it is subject to the jurisdiction of the Federal Trade Commission ('FTC') or the Department of Transportation ('DOT');
- pay the required fee and submit a self-certification to the U.S. Department of Commerce13.
The Privacy Shield has annual re-certification obligations, and the FTC and DOT are tasked with the enforcement of Privacy Shield obligations.
The Privacy Shield also had components relating to U.S. Government obligations, although that is where the new framework steps in.
The EU-US DPF
The objective of the new EU-US DPF is to restore the validity of the Privacy Shield and allow for data to flow freely and safely between the EU and participating US businesses by resolving U.S. Government surveillance issues. The key principles include:
- continued obligations for companies processing EU data to adhere to pre-existing Privacy Shield requirements and self-certify with the U.S. Department of Commerce;
- new rules that limit access to EU data by US intelligence authorities to what is necessary and proportionate to protect national security, with new procedures that will ensure effective oversight of new privacy and civil liberties standards; and
- a new two-tier redress system to investigate and resolve complaints of EU residents on access of data by US Intelligence authorities, including a DPRC14.
The new rules:
- require that relevant US signals intelligence activities be conducted only in pursuit of defined national security objectives (e.g. terrorism), take into consideration the privacy and civil liberties of all persons regardless of nationality or residence, and be conducted only when necessary and in proportion to a validated intelligence priority;
- mandate safeguards for the handling and oversight of personal information collecting through US signals intelligence activities;
- instruct US intelligence agencies to update policies and procedures to implement the new requirements; and
- direct the Privacy and Civil Liberties Oversight Board ('PCLOB') to review intelligence agency policies and procedures for adherence to the Executive Order (Section 2) and conduct an annual review of the redress process.
These requirements are addressed at great length within the Executive Order. For example, they proscribe 12 legitimate objectives for information collection activities (e.g. threats to US personnel) and four prohibited objectives (e.g. suppressing dissent).
Under the new redress system, individuals from countries and regional organisations designated by the Executive Order can seek independent review of claims that personal information collected through US signals intelligence violated applicable US laws, including under the Executive Order (Section 3).
Under the two-tier system, complaints can be submitted to the Civil Liberties Protection Officer ('CLPO') in the Office of the Director of National Intelligence ('ODNI'), who will conduct necessary investigations and issue binding decisions with appropriate remediation.
As a second layer of review, a new DPRC established by the Attorney General will provide independent and binding review of the CLPO's decisions, upon an application from the individual or a member of the intelligence community. Judges on the DPRC will be appointed from outside the U.S. Government, have relevant experience in the fields of data privacy and national security, review cases independently, and enjoy protections against removal. The Executive Order also provides that the DPRC should select a special advocate in each case to represent the complainant's interest in the matter and ensure the DPRC is well-informed of the issues and law relevant to the matter.
How will the EU-US DPF impact businesses?
While businesses will largely be following existing Privacy Shield obligations under the new EU-US DPF - which reflects the fact that the CJEU's decisions did not pertain to business requirements under the Privacy Shield - some updates are expected.
In particular, the DOC will update its directions and guidance on implementing Privacy Shield compliance in business privacy policies and self-certification15. In part, this is due to changes in EU law, from the Directive to the GDPR, after the original Privacy Shield was adopted.
As matters unfold in the next two to three years, one suspects that businesses will champion survival of the EU-US DPF in the inevitable legal challenges, while largely sticking with SCCs and other currently available transfer mechanisms until long-term viability of the EU-US DPF is firmly established.
Mark Francis Partner
Holland & Knight LLP, New York
1. Available at: https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/
2. Available at: https://www.govinfo.gov/content/pkg/FR-2022-10-14/pdf/2022-22234.pdf
3. See: https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_6045
4. See: https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-law
5. Available at: https://www.gov.uk/government/publications/uk-and-us-progress-tech-and-data-partnership/uk-us-joint-statement-new-comprehensive-dialogue-on-technology-and-data-and-progress-on-data-adequacy
6. See: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML
7. See: https://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf
8. See: https://ec.europa.eu/commission/presscorner/detail/en/IP_16_216
9. Available at: https://eur-lex.europa.eu/eli/reg/2016/679/oj
10. See: https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=12312155
11. See: https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2087
12. See: https://www.privacyshield.gov/article?id=Requirements-of-Participation
13. See: https://www.privacyshield.gov/article?id=How-to-Join-Privacy-Shield-part-1
14. See: https://ec.europa.eu/commission/presscorner/detail/en/FS_22_2100
15. See: https://www.commerce.gov/news/press-releases/2022/10/statement-us-secretary-commerce-gina-raimondo-enhancing-safeguards