January 30, 2023

Volume XIII, Number 30

Advertisement

January 30, 2023

Subscribe to Latest Legal News and Analysis

We Have an EO, but Not (Yet) a New Transfer Mechanism

Background

On October 7, 2022, US President Joe Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the Executive Order), introducing new safeguards to protect the personal data shared between the EU and the US.

The Executive Order is the first tangible step towards a new transatlantic framework for personal data transfers, following the March 25, 2022, joint announcement by the European Commission president, Ursula von der Leyen, and US President Biden that they had reached an agreement in principle on a successor to the Privacy Shield.

While details of the actual content leaked over time, here is a summary of what the Executive Order is providing, but, more importantly, what the signature of the order means, not only for those who will be able to certify to the revised Privacy Shield, but also for all others.

What Does the Executive Order Say?

The Executive Order introduces stronger protection against the activities of US intelligence agencies. By doing so, it hopes to resolve (once and for all) the deficiencies identified in the Schrems II case. Some of the key safeguards implemented under the new framework are:

  • Data collection by intelligence agencies will only be permitted in pursuit of legitimate national security objectives, and only if it is necessary and proportionate to the impact on individuals’ privacy and civil liberties. Examples of legitimate objectives are the protection against foreign military capabilities, terrorism, espionage and cybersecurity attacks, etc. The list is not fixed in stone; it can be updated.

  • Intelligence agencies will be required to adopt internal procedures to ensure compliance with the new rules. This includes the implementation of periodic oversight by senior level officials, introduction of reporting procedures in case of identified incidents of non-compliance, and conducting trainings to ensure that all employees with access to intelligence know and understand the rules, etc.

  • The framework introduces the principle of a two-stage redress mechanism to address individuals’ complaints on potential breaches by intelligence agencies. The complaints will first be transmitted by public authorities to the civil liberties protection officer, who will conduct an initial investigation, determine whether there was a violation, and order remediation. In the second stage, an additional review will be performed by the so-called Data Protection Review Court, a newly established independent body whose role is to review the determinations made in the first stage and to render a binding decision on the existence of violation and the remediation.

The Executive Order is setting the direction, but there will be still lot of actual work to be done by agencies to implement the principles in actual processes.

Is This Important, and for Whom?

Schrems II and subsequent reactions from data protection authorities and EU institutions made personal data transfer akin to navigating in troubled waters. As the US was found not to provide an “adequate” level of personal data protection, companies had to turn to other legal mechanisms for their transatlantic transfers, going through additional burdens, such as conducting their own due diligence exercise over the applicable US laws, entering, or transitioning to the new standard contractual clauses, identifying supplementary safeguards that may be required, and documenting the entire process.

The signature of the Executive Order is the first puzzle piece toward the adoption of a new adequacy decision on a revised Privacy Shield. When – and if – adopted, the adequacy decision should facilitate (again) the personal data flows between the EU and the US. The system will still include a voluntary self-certification, allowing (most) US companies to certify that they are compliant with the Privacy Shield’s data protection principles. Once certified, the companies would be adequate data importers (again). The framework would facilitate day-to-day operations for thousands of companies looking to move data for employment, commercial, IT and various other purposes. The Executive Order is an important step in that direction, as it attempts to remedy the shortcoming of the US legal system that led to the annulment of the previous framework.

On the other hand, organizations dealing with data importers that cannot certify to the Privacy Shield should also have their lives made (slightly) simpler. Indeed, the Executive Order is providing for a revised framework in relation to government access to (European) data. This is probably a positive development, as they will have a better benchmark to refer to when checking the US systems.

What Is Next?

Following the adjustments to the legal framework on the US side, the next step is for the European Commission to issue the so-called adequacy decision and recognize such (revised) framework as providing essentially equivalent data protection standards as those existing under EU law. The process will involve various stakeholders, including the European Data Protection Board and member states’ representatives. Once (and if) the adequacy decision is adopted, companies will be able to rely on this simplified mechanism for their EU-US data transfers. Hopefully, the emergence of the new framework will lift some of the pressure and reduce the incentive for data protection authorities to investigate EU/US data transfers in the coming weeks and months.

Do not pause your transitioning to the new standard contractual clauses, however. Let us recall that, just like the previous one, the new Privacy Shield could once again fall under the scrutiny of the Court of Justice of the European Union (CJEU). The adoption of the adequacy decision means that businesses may rely on it, but also that it can be challenged before national and European courts (and yes, a new US President might also have other views on the scope of action of US intelligence services). The nonprofit organization, noyb.eu, has already issued its initial analysis that the Executive Order is unlikely to satisfy EU law. So, the adequacy of the US legal framework will be examined once again. Should we bet on the outcome?

Diletta De Cicco and Lucija Vranesevic also contributed to this article.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 285
Advertisement
Advertisement
Advertisement

About this Author

Partner

Charles Helleputte heads up the EU Data Privacy, Cybersecurity & Digital Assets Practice. Charles focuses on existing EU and national privacy, cybersecurity and data laws, such as the NIS Directive, GDPR and the Cybersecurity Act, and on upcoming developments, such as NIS 2, DORA, the AI Act and the ePrivacy Regulation.

Charles has specific experience preparing and managing incidents in a cross-border context, where it is necessary to consider multiple cybersecurity, privacy and other regulatory and enforcement frameworks (such as NIS, PSD2...

32-2-627-1100
Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA
Partner

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...

213-689-6518
David Naylor Data Privacy and Cybersecurity Attorney
Partner

David Naylor leads our UK Data Privacy, Cybersecurity & Digital Assets practice and is one of the industry’s leading specialists in the converging areas of technology, data, digital media, intellectual property and privacy. A world-class roster of clients turns to David for support in high-value commercial transactions, technology transfer and licensing, and business-critical data privacy regulatory matters.

Much of David’s practice focuses on international business expansion, cross-border transactions and multijurisdictional projects. He is...

44-20-7655-1668
Advertisement
Advertisement
Advertisement