We Have an EO, but Not (Yet) a New Transfer Mechanism
On October 7, 2022, US President Joe Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the Executive Order), introducing new safeguards to protect the personal data shared between the EU and the US.
The Executive Order is the first tangible step towards a new transatlantic framework for personal data transfers, following the March 25, 2022, joint announcement by the European Commission president, Ursula von der Leyen, and US President Biden that they had reached an agreement in principle on a successor to the Privacy Shield.
While details of the actual content leaked over time, here is a summary of what the Executive Order is providing, but, more importantly, what the signature of the order means, not only for those who will be able to certify to the revised Privacy Shield, but also for all others.
What Does the Executive Order Say?
The Executive Order introduces stronger protection against the activities of US intelligence agencies. By doing so, it hopes to resolve (once and for all) the deficiencies identified in the Schrems II case. Some of the key safeguards implemented under the new framework are:
Data collection by intelligence agencies will only be permitted in pursuit of legitimate national security objectives, and only if it is necessary and proportionate to the impact on individuals’ privacy and civil liberties. Examples of legitimate objectives are the protection against foreign military capabilities, terrorism, espionage and cybersecurity attacks, etc. The list is not fixed in stone; it can be updated.
Intelligence agencies will be required to adopt internal procedures to ensure compliance with the new rules. This includes the implementation of periodic oversight by senior level officials, introduction of reporting procedures in case of identified incidents of non-compliance, and conducting trainings to ensure that all employees with access to intelligence know and understand the rules, etc.
The framework introduces the principle of a two-stage redress mechanism to address individuals’ complaints on potential breaches by intelligence agencies. The complaints will first be transmitted by public authorities to the civil liberties protection officer, who will conduct an initial investigation, determine whether there was a violation, and order remediation. In the second stage, an additional review will be performed by the so-called Data Protection Review Court, a newly established independent body whose role is to review the determinations made in the first stage and to render a binding decision on the existence of violation and the remediation.
The Executive Order is setting the direction, but there will be still lot of actual work to be done by agencies to implement the principles in actual processes.
Is This Important, and for Whom?
Schrems II and subsequent reactions from data protection authorities and EU institutions made personal data transfer akin to navigating in troubled waters. As the US was found not to provide an “adequate” level of personal data protection, companies had to turn to other legal mechanisms for their transatlantic transfers, going through additional burdens, such as conducting their own due diligence exercise over the applicable US laws, entering, or transitioning to the new standard contractual clauses, identifying supplementary safeguards that may be required, and documenting the entire process.
The signature of the Executive Order is the first puzzle piece toward the adoption of a new adequacy decision on a revised Privacy Shield. When – and if – adopted, the adequacy decision should facilitate (again) the personal data flows between the EU and the US. The system will still include a voluntary self-certification, allowing (most) US companies to certify that they are compliant with the Privacy Shield’s data protection principles. Once certified, the companies would be adequate data importers (again). The framework would facilitate day-to-day operations for thousands of companies looking to move data for employment, commercial, IT and various other purposes. The Executive Order is an important step in that direction, as it attempts to remedy the shortcoming of the US legal system that led to the annulment of the previous framework.
On the other hand, organizations dealing with data importers that cannot certify to the Privacy Shield should also have their lives made (slightly) simpler. Indeed, the Executive Order is providing for a revised framework in relation to government access to (European) data. This is probably a positive development, as they will have a better benchmark to refer to when checking the US systems.
What Is Next?
Following the adjustments to the legal framework on the US side, the next step is for the European Commission to issue the so-called adequacy decision and recognize such (revised) framework as providing essentially equivalent data protection standards as those existing under EU law. The process will involve various stakeholders, including the European Data Protection Board and member states’ representatives. Once (and if) the adequacy decision is adopted, companies will be able to rely on this simplified mechanism for their EU-US data transfers. Hopefully, the emergence of the new framework will lift some of the pressure and reduce the incentive for data protection authorities to investigate EU/US data transfers in the coming weeks and months.
Do not pause your transitioning to the new standard contractual clauses, however. Let us recall that, just like the previous one, the new Privacy Shield could once again fall under the scrutiny of the Court of Justice of the European Union (CJEU). The adoption of the adequacy decision means that businesses may rely on it, but also that it can be challenged before national and European courts (and yes, a new US President might also have other views on the scope of action of US intelligence services). The nonprofit organization, noyb.eu, has already issued its initial analysis that the Executive Order is unlikely to satisfy EU law. So, the adequacy of the US legal framework will be examined once again. Should we bet on the outcome?
Diletta De Cicco and Lucija Vranesevic also contributed to this article.