At a Glance:
On Oct. 7, 2022, U.S. President Joe Biden issued Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ (“Executive Order” or “EO”). It is described by the U.S. as “a durable and reliable legal foundation” and “that the new ’robust’ commitments contained in the executive order ’fully addresses’ the issues raised in the [EU] Court of Justice’s decision on Privacy Shield” (the “Schrems II ruling”). This Executive Order will form the basis for a new EU-U.S. Data Privacy Framework, aka Safe Harbor Framework v3 or Privacy Shield 2.0.
The issuance of the EO was a central part of the agreement in principle reached between the EU and the U.S. to address the issues raised in the Schrems II ruling. While most of the world waited for this Executive Order, we now all wait for the EU’s response as to whether or not this EO, once its requirements are implemented, suffices to lift the U.S. to an adequate level of data protection within the meaning of Art. 45 GDPR. Even before full implementation of the procedural aspects of the EO, the Executive Order will have a positive impact on data transfers given that the surveillance must be conducted in a proportionate manner that takes into account the impact to privacy and civil liberties of all persons, assuming the EU will be designated as a “qualifying state” by the U.S. Attorney General under the EO.
What does the Executive Order say
- Key features of the EO are:
- only where necessary to advance legitimate national security objectives in a manner that does not disproportionately impact individual’s data protection and privacy rights;
- requires US signals intelligence activities to be conducted only in pursuit of defined national security matters, such as espionage, terrorism, cybersecurity and the like;
- a new two-layer redress mechanism, consisting of a complaint mechanism and an independent Data Protection Review Court.
What is the next step until organizations can switch from SCCs to the Framework?
- Next is for the EU Commission to make an adequacy decision. This phase will consist of interactions with various stakeholders: recommendation by the EDPB, a committee composed of representatives of the EU Member States and the European Parliament. It is expected that this process may be finalized by March or April 2023. More details can be found in the Q&As document issued by the EU.
- Any adequacy decision will of course be fully dependent on the new oversight body and the Data Protection Court having been established, so there is the potential that the European Commission (“EC”) may not issue a full adequacy opinion until October 2023, particularly as the EO requires any policy updates to be completed within a year of the Executive Order being issued; namely, Oct. 7, 2023 or later:
- The EO requires intelligence agencies to adjust their policies to the EO (i.e. reflect the proportionality and necessity principles) by Oct. 7, 2023. Such policies then shall be reviewed by the U.S. Privacy and Civil Liberties Oversight Board (PCLOB) and the respective agencies are asked to implement changes resulting from this review within 180 days after review.
- The EO also asks for implementation of the above mentioned redress mechanism. For the Data Protection Review Court, the Order asks for a first structure by Dec. 8, 2022 (60 days of date of the EO). Then the court still needs to be set up.
- U.S. organizations need to certify under the new Framework. The EU explains: “U.S. companies will be able to join the framework by committing to comply with a detailed set of privacy obligations.” While there is not much information on this aspect, it is likely to be administered by the U.S. Department of Commerce and such self-certifications may be limited to those organizations regulated by the U.S. Federal Trade Commission, much like the EU-U.S. Safe Harbor Framework and the Privacy Shield before it.
For now while the issuance of the EO is good news, it does not provide an immediate solution for transfers of EU or UK personal data to the U.S.
For organizations transferring data from the EU to the U.S., the following will apply: The new Framework will not be available this year. Dec. 27, 2022, is the deadline for switching from the old 2010 international transfer standard contractual clauses (”SCCs”) to the new 2021 SCCs. Due to this deadline, organizations that hoped the new Data Privacy Framework would have been approved and those organizations reliant on the 2010 SCCs will all need to have the 2021 SCCs in place by 27 December 2022.
Outlook – Schrems, UK, other Non-EU countries
No surprise that Max Schrems has already posted on his NOYB website that he thinks the EO is not sufficient. Schrems criticizes that the terms “necessary” and “proportionate” have different meanings in the EU and U.S.. NOYB further criticizes that the Data Protection Review Court will not be a real court as decisions will be limited. We will have to await the EU review to see how it addresses the points raised by NOYB.
The UK is expected to also issue an adequacy decision based on the EO, as announced in the UK-U.S. Joint Statement (Statement) last week on Oct. 7, 2022.
Looking ahead: The EO is a big step for EU-U.S. data transfers and a step into the right direction, and we can but hope that the EO will be deemed enough for adequacy so that additional legislative changes to U.S. law would not be required. Only a political solution like this is able to solve the situation. Noting that such solution is not on the horizon for China, India or other countries, where the EDPB and the data protection authorities continue to leave organizations without a reliable solution.
We can be sure that NOYB will launch legal proceedings against the new Framework and/or any potential new adequacy decision. Hopefully the CJEU can this time decide in favor of the Framework. While there are still a lot of “ifs” in relation to the EO, an adequacy decision by the EC, and implementation of a new Data Privacy Framework, perhaps this statement in one of the last paragraphs of the EO will constitute the winner: “In the case of any conflict between this order and other applicable law, the more privacy-protective safeguards shall govern the conduct of signals intelligence activities, to the maximum extent allowed by law.”