International: What the Executive Order and the EU-US DPF mean for companies
In the fourth quarter of 2022, new hope emerged for transatlantic data flows with a pair of significant developments in the effort by the EU and the US governments to adopt a new mechanism for transferring the personal data of EU individuals to the US.
W. James Denvil and Julian B. Flamant, from Hogan Lovells, discuss key changes of Executive Order 14086 on Enhancing Safeguards for United States Signal Intelligence Activities ('the Executive Order') and the EU-US Data Privacy Framework ('EU-US DPF') and delve into the impact these have on companies carrying out transatlantic data transfers.
First, on 7 October 2022, U.S. President Joe Biden issued the Executive Order, which adds procedural safeguards to surveillance activities in the US and creates new oversight and redress mechanisms. Second, on 13 December 2022, the European Commission published its draft adequacy determination for the EU-US DPF, a new certification scheme set to replace the defunct Privacy Shield following its invalidation by the Court of Justice of the European Union ('CJEU') in July 2020.
The draft EU-US DPF adequacy determination provides important insight on how European regulators may evaluate transfers of EU personal data to the US now that the Executive Order has been issued and clears the path for an enduring framework to emerge. The two developments are significant signs of progress in the nearly two-year negotiation process that help provide some much-needed certainty for the future viability of transatlantic data flows.
As of the date of writing, though, there still are hurdles to overcome before companies can use the EU-US DPF to legitimise their data transfers.
A so-called 'adequacy' determination by the European Commission, where the same finds that the laws of a third country or sector provide a level of data protection that is 'adequate' compared to the protections offered under EU law, is one mechanism legitimising cross-border personal data transfers under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). So far, the European Commission has determined that laws in 16 countries or sectors are 'adequate'.
The privacy laws in the US as a whole have never been subject to an adequacy determination. However, the European Commission has previously found that the protections offered by negotiated transfer mechanisms (the so-called Safe Harbor and Privacy Shield agreements) offered adequate protections when companies committed to apply their principles to EU-US personal data transfers. Due to concerns that surveillance activities by US intelligence agencies might allow broad access to EU personal data even when the EU personal data transferred was subject to the agreements' protections, though, the CJEU invalidated the status of Safe Harbor and Privacy Shield as valid transfer mechanisms in a pair of high-profile cases known as Maximillian Schrems v. Data Protection Commissioner ('Schrems I') and Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II').
The CJEU's landmark decision in the Schrems II case invalidated the Privacy Shield data transfer framework and exacerbated uncertainties regarding the future viability of lawful transatlantic data transfers. In its Schrems II decision, the CJEU held that the European Commission's adequacy decision legitimising the Privacy Shield was invalid because it did not sufficiently consider US intelligence agencies' authority to access EU personal data in the US. In particular, the CJEU held that US intelligence agencies' authority to access personal data in bulk violated EU law because the US's legal frameworks for surveillance did not limit data collection to that which is strictly necessary and proportionate to legitimate national security objectives. Although the Privacy Shield included a mechanism by which EU individuals could complain of perceived data protection violations, the CJEU held that EU data subjects did not have actionable redress to challenge that data collection.
After Schrems II, thousands of Privacy Shield certified companies no longer could rely on the Privacy Shield to transfer EU personal data to the US. Those companies were forced to revert to other transfer mechanisms, such as the European Commission's Standard Contractual Clauses ('SCCs'), for their EU-US transfers of EU personal data.
The legitimacy of SCCs had themselves been called into question with the CJEU's Schrems II finding that they were 'valid in principle', but that transferors and European regulators had an obligation to review the legitimacy of SCCs-based transfers on a case-by-case basis. And, with the European Commission's release of updated SCCs in June 2021, companies transferring EU personal data across the Atlantic had to update their vendor and customer contracts and engage in costly reviews of third-country laws to avoid running afoul of EU rules.
The Executive Order and the US surveillance reform
The Executive Order was issued to help underpin the EU-US DPF, and it represents a major reform in the scope of US intelligence agencies' access to personal data held by US companies. The Executive Order's safeguards apply outside of the EU-US DPF because it reforms all signals intelligence surveillance activities in the US. The Executive Order does not replace any US surveillance laws. Instead, it adds a layer of protection on top of the existing US surveillance apparatus that restricts the activities of intelligence agencies regardless of what authority they use to seek access to data for national security purposes.
In particular, the Executive Order's oversight measures rely on principle-based safeguards that must be adopted by the head of each US intelligence agency, and scrutinised by the independent Privacy and Civil Liberties Oversight Board ('PCLOB'). The safeguards include data minimisation obligations for all personal data collected by US surveillance agencies and additional constraints reflecting considerations regarding EU law and EU fundamental rights concepts of necessity and proportionality.
For necessity, the Executive Order requires that surveillance activities conducted by US intelligence agencies are necessary to advance a validated intelligence priority. Validated intelligence priorities are inherently limited in scope and must be established through additional processes established under US law and relate to specific objectives outlined in the Executive Order, such as:
understanding or assessing the capabilities, intentions, or activities of a foreign government, a foreign military, a faction of a foreign nation, a foreign-based political organisation, or an entity acting on behalf of, or controlled by, any such entities;
- protecting against foreign military capabilities and activities;
- protecting against terrorism;
- protecting against espionage; and
- protecting against cybersecurity threats created or exploited by, or malicious cyber activities conducted by, or on behalf of, a foreign government, foreign organisation, or foreign person.
For proportionality, the Executive Order requires that signals intelligence activities that are necessary to achieve a validated intelligence priority also are proportionate to the validated intelligence priority.
The Executive Order also establishes a two-layer redress mechanism accessible to individuals. Under the first layer, individuals are able to submit complaints to a Civil Liberties Protection Officer ('CLPO'), established within the Office of the Director of National Intelligence. Upon receiving a complaint, the CLPO will be required to conduct an independent initial investigation to determine whether there has been a violation of the Executive's requirements, and has the authority to require remediation. The Executive Order outlines specific procedural requirements for the CLPO's review. Individuals who take issue with the CLPO's finding under the first layer will be able to appeal the finding to a Data Protection Review Court ('DPRC'). Under the second layer, the DPRC, which is comprised of judges appointed from outside the U.S. Government, subject to safeguards designed to guarantee their independence, would review the CLPO's initial decision. In this layer, complaining individuals will also have a special advocate to advocate on their behalf.
Both the CLPO's decision and the DPRC's decision, if a matter is appealed to that body, will be binding on US intelligence agencies. In order to make the two-layer redress mechanism available to foreign individuals, the Executive Order authorises the U.S. Attorney General to designate a jurisdiction (i.e. a country or regional economic integration organisation) as a 'qualifying state' for purposes of the redress mechanism. This means that the EU will need to be designated as a 'qualifying state' before EU data subjects gain access to the redress mechanism.
The EU-US DPF
In light of the Executive Order's additional safeguards for the protection of personal data held by companies in the US, the European Commission has concluded that the EU-US DPF's enhanced safeguards would guarantee adequate protection of EU personal data when transferred to the US under the EU-US DPF. Importantly, the overall structure and approach of the EU-US DPF is similar to that of the invalidated Privacy Shield, with only minor updates to address changes in EU data protection laws and US surveillance laws. This means that the companies which have maintained their Privacy Shield certifications, or which have determined that they could comply with those principles should not face substantial challenges in certifying to EU-US DPF for their transatlantic transfers of EU personal data once the adequacy decision is finalised.
The European Commission engaged in a robust assessment of US laws (including the Executive Order's enhanced safeguards) and apparently seeks to head off potential CJEU challenges by squarely addressing the CJEU's concerns raised in Schrems II. The European Commission focuses on necessity and proportionality standards for the collection of signals intelligence by US intelligence agencies, as well as the expected effectiveness of the Executive Order's judicial redress mechanisms. It is notable that the European Commission also re-evaluated the surveillance laws the CJEU took issue with in Schrems II, as well as US law enforcement mechanisms for accessing EU personal data, which were not an explicit focus of the Schrems II case.
In its review of US surveillance authorities, the European Commission highlights that the Executive Order requires that US intelligence agencies incorporate principles of necessity and proportionality at the outset of their surveillance activities. And agencies must establish oversight mechanisms to ensure that the limitations are applied in practice. Furthermore, the European Commission highlights that the two-layer redress mechanism required by the Executive Order allows EU data subjects to avail themselves of protections similar to those guaranteed under EU law, namely to procure reviews of the lawfulness of US intelligence authorities' access to their personal data and to obtain remedies for unlawful activities, including rectification and erasure of their personal data.
The European Commission clarifies that the safeguards set forth under the Executive Order must still be implemented by the relevant heads of US intelligence agencies, and the two-layer redress mechanism must still be formally established and made available to EU data subjects. Because of this, the European Commission has made the EU-US DPF draft adequacy decision contingent on adoption of the Executive Order's protections.
The European Commission's draft adequacy decision has kicked off a process for the EU's approval of the EU-US DPF through a process that is expected to take approximately six months. During the approval period, three major EU bodies will review the draft adequacy decision:
- The draft adequacy decision has been transmitted to the European Data Protection Board ('EDPB') for its opinion. The EDPB opinion will be non-binding over the European Commission's ultimate determination, but is expected to have significant impact on its ultimate viability because it will represent the coordinate position of EU data protection regulators across the EU Member States.
- The European Parliament will have the right to scrutinise the European Commission's adequacy decision. Though approval from the European Parliament is not formally required, its position likely would impact the EU-US DPF's legitimacy as an enduring transfer mechanism.
- A committee composed of representatives from EU Member States must formally approve the European Commission's adequacy decision.
The European Commission's draft adequacy decision contains placeholders for the EDPB, the European Parliament, and committee reviews. After the reviews and negotiations, the European Commission will adopt its final adequacy determination and publish it in the EU Official Journal, with immediate effect, at which point companies certifying EU-US DPF compliance with the U.S. Department of Commerce will be able to proceed with using that mechanism for their transfers of EU personal data to the US.
What to do now
Until the European Commission is able to adopt its final adequacy determination for the EU-US DPF, companies should continue to focus their attention on the transfer tools they are currently using for lawful transatlantic data transfers. First and foremost, all companies using SCCs for data transfers should have already updated their contracts to incorporate the version of the SCCs published in June 2021 (with the final deadline for updating SCCs having passed on 27 December 2022).
Companies using valid transfer mechanisms should also consider updating their Transfer Impact Assessments ('TIAs') covering EU-US transfers of EU personal data to reflect the new safeguards under the Executive Order. Though the Executive Order's redress mechanism is not yet established, and not yet available to EU citizens, its safeguards requiring that US intelligence agencies incorporate EU concepts of necessity, proportionality, and data minimisation into their surveillance activities have immediate effect. However, companies who update their TIAs, now to include the Executive Order, should note that further updates will be necessary once the heads of US intelligence agencies formally include those principles in their agency guidelines, as required within the next year, and the two-layer redress mechanism is formally established.