Schrems may disagree, but there are reasons to believe that the new EU-U.S. Data Privacy Framework (or Privacy Shield 2.0.) will be a durable data transfer solution. Companies should consult with VeraSafe now to begin preparing for this refreshed privacy framework.
Objective: A Legal Reboot of the EU-U.S. Data Flows
After two years without a framework for transferring personal data from the EU to the United States of America, companies on both sides of the Atlantic are starting to see light at the end of the tunnel. On October 7, 2022, President Biden issued a highly-anticipated Executive Order (EO) on Enhancing Safeguards for United States Signal Intelligence Activities. This order implements into U.S. law the commitments the U.S. made to implement the Trans-Atlantic Data Privacy Framework (DPF), announced by the U.S. and EU in March 2022. The main objective of the DPF is to fill the gap left when the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield Framework in the 2020 Schrems II decision as a valid data transfer mechanism under EU Law.
Biden’s order seeks to address the concerns that led to the invalidation of Privacy Shield: the scope of U.S. surveillance and the availability of redress from an independent tribunal. In particular, the order imposes proportionality and necessity tests on U.S. intelligence signals activities and establishes new mechanisms to address any claims that personal information was collected or handled in violation of either U.S. law or the DPF. While industry groups have largely welcomed this step towards re-establishing the efficiency and effectiveness of American and European cross-border data flows, some European consumer rights and privacy campaigners do not think it goes far enough and believe that the DPF could be soon invalidated, just like its predecessor.
There are reasons to believe that the DPF (or Privacy Shield 2.0. or Safe Harbor 3.0.) is here to stay. One of them is that in the 20+ years since the 9/11 terrorist attacks, the balance between national security interests and privacy concerns has begun to equalize in the United States, amongst both the government and the public. This equalization suggests that the “necessary and proportionate” approach articulated in the EO might be more than just words on a piece of paper—and might actually make for a durable data transfer approach.
It is quite possible that, when the Foreign Intelligence Surveillance Act (FISA) Section 7021 comes up for renewal in 2023, the U.S. Congress may dial back the bulk collection powers of the American intelligence community, given the amount of money and data at stake for U.S. and EU businesses, the criticism FISA receives2, the continued decline in FISA orders year over year3, and the changed political climate since FISA (including Section 702)was last amended in 20184. If that occurs, Max Schrems would be less likely to succeed in challenging the DPF.
In addition, after two rounds with Max Schrems, the U.S. and European Commission now have much more information about what the CJEU will and will not accept in terms of EU-U.S. data flows and the extent of U.S. public sector access to private sector data. Both sides are better positioned to implement a lasting framework that will survive a likely “Schrems III” challenge.
The third time might be the charm. VeraSafe’s EU and U.S. attorneys and advisors share with you some of our main reasons to believe that the Data Privacy Framework will be a straightforward and durable solution to transfer personal data from the European Economic Area and beyond (as the DPF can be recognized as a legal framework to transfer personal data from other jurisdictions, such as the United Kingdom).
This Current Data Transfer Legal Limbo Is Not Sustainable
The Privacy Shield Framework was generally considered to be the most-easy-to-use, cost-effective and popular5 transfer mechanism for companies engaging in EU-U.S. data flows. Its invalidation left thousands of organizations scrambling for an alternative, only to find limited and expensive options. Companies can otherwise use Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) to transfer personal data from the EU to the U.S. Still, these are expensive and difficult to implement in themselves, especially for small and mid-sized companies with no or small legal teams.
Those who can afford to use BCRs or SCCs, do not have guaranteed compliance. Data protection regulators require those transferring personal data to the U.S. to perform Transfer Impact Assessments (TIAs) and to implement “supplementary measures” where needed. Yet, even after a TIA is completed, companies do not have the certainty that all the work they put in will be considered sufficient in the eyes of regulators, since regulators can pursue them for apparently innocuous activities such as using Google Analytics on their websites.
The U.S. Has Made Groundbreaking Changes to Its Laws to Address the CJEU Concerns in Schrems II
Context first. In Schrems II, the CJEU cited two main concerns for invalidating the EU-U.S. Privacy Shield Framework: (1) lack of necessity and proportionality limits on U.S. intelligence signals surveillance programs; and (2) insufficient redress rights to challenge unlawful government surveillance.
The EO and its accompanying Department of Justice Final Rule seek to address those twin national security concerns by:
- bolstering privacy and civil liberties safeguards for U.S. intelligence activities (including by requiring U.S. intelligence authorities to limit their signals activities to what is necessary and proportionate (directly adopting terminology from EU Law) to protect national security, and creating new requirements for handling personal information collected through intelligence activities); and
- establishing a two-tier redress mechanism to address complaints from individuals in qualifying states and regional economic integration organizations regarding the lawfulness of those activities (such as European whose data is transferred to the U.S.), through:
- a first-layer review by an independent Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence (ODNI), who will conduct an initial investigation of qualifying complaints and issue a binding decision on the U.S. intelligence community; and
- a second-layer review of the CLPO’s decision (with assistance from an advocate representing the complainant’s interest) by a new Data Protection Review Court (DPRC) within the Department of Justice (DOJ) consisting of judges appointed from outside government with relevant privacy and national security experience who will review cases independently, with protections against removal.
The First Reactions Are Positive
The U.S. Department of Commerce welcomes the developments achieved by the EO, including the steps taken to “fully address the Court of Justice of the European Union’s 2020 Schrems II decision”.
More importantly, the European Commission, the very institution tasked with evaluating the adequacy of U.S. law under the GDPR, including this Executive Order, has already commented that the EO brings “significant improvements compared to the Privacy Shield.”
The IAPP reports that the former Chief of the Office of Civil Liberties within the Office of the Director of National Intelligence, mentioned that President Biden’s Executive Order was “groundbreaking” in that it codifies the curtailment of certain U.S. intelligence activities to meet EU adequacy standards.
The Privacy Shield Principles Will Be Updated for Consistency with the GDPR
The U.S. Secretary of Commerce, Gina Raimondo, explained that the EU-U.S. DPF will “update the privacy principles that companies adhere to under the EU-U.S. Privacy Shield Framework and rename them as the ‘EU-U.S. Data Privacy Framework Principles.’”
Secretary Raimondo further stated that the Commerce Department would issue guidance for current Privacy Shield participants to “facilitate the transition to the updated privacy principles under the EU-U.S. DPF,” and that the Department would transmit to European authorities “a series of letters from relevant U.S. government agencies and documents outlining the operation and enforcement of the EU-U.S. DPF.”
It bears noting that, since the original Privacy Shield principles were negotiated while the EU’s General Data Protection Regulation (GDPR) was still being finalized, the original Privacy Shield Framework references the 1995 EU Data Protection Directive instead of the GDPR, even though it contemplates GDPR’s expected substantive provisions. Under the future EU-U.S. Data Privacy Framework Principles, organizations should consult with VeraSafe to prepare for this new framework, which will, among other things, update all references to the GDPR directly, and require updates to organizations’ privacy notices and self-certifications.
Naturally, Max Schrems Is Not Impressed
Shortly after President Biden issued the EO, Max Schrems, the Austrian activist and lawyer beyond the eponymous Schrems I6 and Schrems II judgments, issued a statement through NOYB, his data privacy NGO, explaining why he thinks the EO is still unlikely to satisfy EU law.
First, Schrems asserts that, even under the new “necessary” and “proportionate” standard of the EO (which tracks the language in Article 52 of the EU’s Charter of Fundamental Rights), “bulk surveillance” by the National Security Agency will continue under the new EO because, under Section 2(c)(ii) of the EO, data sent to U.S. providers will still be subject to bulk collection7.
Second, Schrems believes that the judicial redress mechanism in the EO is insufficient because the “‘Court’ is not a real court” since the DPRC will sit within the federal government’s executive—rather than judicial—branch, and will not, according the Schrems, meet other criteria of a legitimate tribunal.
Why the DPF Can Still Be a Durable Data Transfer Solution
Although the dissatisfaction of Schrems will likely culminate in yet another case brought before the CJEU, there are two important legal reasons to believe that, this time around, the new EU-U.S. Data Privacy Framework will become a durable data transfer solution that companies on both sides of the Atlantic should prepare to rely upon.
1. The Executive Order Considerably Limits the Activities of the U.S. Intelligence Community
Although Schrems takes a dim view of the EO’s “necessary” and “proportionate” limitations as applied to bulk connection of signals intelligence, that new language does appear to limit the activities of U.S. Intelligence Community (IC).
Section 2(c)(i)(A) of the EO instructs that the U.S. shall only conduct signal intelligence collection where doing so “is necessary to advance a validated intelligence priority,” and that the IC “shall prioritize such available, feasible, and appropriate alternatives to signals intelligence.” Section 2(c)(ii)(A) of the EO states explicitly that “[t]targeted collection shall be prioritized” over bulk collection and shall be used only when “a validated intelligence priority cannot reasonably be obtained by targeted collection.” Under Section 2(c)(ii)(B), the IC shall only use bulk collection information in pursuit of specific, enumerated objectives, including combatting terrorism, espionage, weapon proliferation, cybersecurity threats, threats against officials, and transnational criminal threats, such as illicit finance or sanctions evasion.
2. DPF’s Judicial Redress Mechanism Is Much More Robust than That under the Privacy Shield Framework
Schrems dismisses the new Data Protection Review Court (DPRC) out of hand. However, the two-step process set forth in the EO provides for a judicial redress mechanism much more robust than what was in place in the original Privacy Shield framework, specifically the designation of an Ombudsperson within the Department of State tasked with receiving requests from Europeans regarding possible U.S. national security access to their personal data. The CJEU found the Ombudsman designation insufficient in Schrems II under Article 47 of the Charter of Fundamental Rights of the EU. Article 47 of the Charter establishes that a sufficient “tribunal” must have certain characteristics, such as independence, impartiality, access to representation, and a fair and public hearing—requirements that DOJ’s Final Rule implementing the DPRC seeks to satisfy.
According to the DOJ, the judges who will serve on the DPRC will be individuals appointed from outside of the Federal Government, with national security and privacy expertise, and preferably prior judicial experience as well. The judges will not be subject to day-to-day review by the Attorney General and will be immune from removal or adverse action for performing their official roles. A three-judge panel will hear appeals from CLPO decisions on individual claims from EU member states with the assistance of an appointed advocate to represent complainants’ interests. The decisions rendered by the DPRC judges will be final and binding on the IC, and they will be empowered to order remediation activities.
The DPRC will not sit in the federal government’s judicial branch—and will not conduct its work in public, due to the national security implications (a likely sticking point for Max Schrems)—but many other requirements of Article 47 will be present, making approval by the CJEU more likely.
When and How to Prepare for the DPF
Waiting is not advisable. As soon as the European Commission recognizes the DPF as a valid data transfer mechanism for the EU, companies that provide Privacy Shield / DPF verification services will be flooded with requests to assist businesses to certify under the DPF. This increase in demand will inevitably cause delays in services and, possibly, price increases. We also need to consider that the self-certification process with the Department of Commerce may also be substantially delayed if too many organizations submit their applications at the same time.
Companies who want to take advantage of the new DPF as soon as it is in place, for business efficiency and cost-saving reasons, should start now. In particular, to be able to freely receive data from the EU under the DPF’s future adequacy decision, you need to do two things now:
- Stay tuned for guidance from the Department of Commerce on the necessary steps to extend your certification to the revised framework (for existing Privacy Shield participants) or to certify under the new framework for the first time.
- Evaluate the general status of your data privacy program and work towards aligning it with the GDPR requirements. The Privacy Shield is older than the GDPR, and the Department of Commerce has already warned that the Data Privacy Framework principles will mirror the GDPR requirements more than the Privacy Shield.
Why You Should Start Preparing Your DPF Certification with VeraSafe
VeraSafe has been advising companies for more than 10 years in their data protection compliance efforts, and assisted hundreds of organizations in certifying under the Privacy Shield and bringing their data transfers into compliance with the GDPR. We can definitely help you prepare for this new framework, which will, among other things, require you to update all references to the GDPR directly and privacy notices and self-certifications.
If you need guidance to follow these developments and their implications for your company, please contact us for a free consultation.
See the Notice by the Privacy and Civil Liberties Oversight Board from September 26, 2022, collecting public comments regarding FISA 702 reauthorization in 2023, available at https://www.federalregister.gov/documents/2022/09/26/2022-20415/notice-of-the-pclob-oversight-project-examining-section-702-of-the-foreign-intelligence-surveillance.
For example, the Watson Institute for International and Public Affairs advocated for passing legislation that would repeal “surveillance state” sections of the amended FISA and the Patriot Act. More information available at: https://watson.brown.edu/costsofwar/costs/social/rights/surveillance.
According to an article published by the Lawfare Institute, FISA Orders Issued Under Title I, Title III, and Sections 703 and 704 decreased from 1,767 in 2013 to 430 in 2021. See Table 1 of the article, available at https://www.lawfareblog.com/new-statistics-confirm-continuing-decline-use-national-surveillance-authorities.
See FISA Amendments Reauthorization Act of 2017, available at https://www.congress.gov/115/plaws/publ118/PLAW-115publ118.htm.
According to a Congressional Research article: “At the time of the CJEU’s judgment in July 2020, Privacy Shield had 5,380 participants (over 75% of which are small and mid-sized firms, SMEs), including U.S. businesses and other organizations, U.S. subsidiaries in the EU, and 250 entities headquartered in the EU.”
In Schrems I, the CJEU invalidated the Safe Harbor decision, which was the primary mechanism under which more than 4,400 companies of all sizes, and across all industries, legally transferred data from the EU to the United States between 2000 and 2015.
Schrems and others often improperly conflate bulk “collection” with bulk “surveillance,” but those with a better understanding of NSA’s activities recognize that much of what the intelligence community obtains through bulk collection programs such as PRISM or UPSTREAM is never reviewed or analyzed.