What's the issue?

Over two years ago, the CJEU invalidated the EU-US Privacy Shield which allowed for frictionless data transfers between the EU and organisations signed up to its principles. Following what became known as the Schrems II decision, the EDPB set out guidelines for US and other third country data transfers which required an assessment by EU (and UK) data exporters of the level of data protection afforded to EU/UK data in the destination country, and supplementary protection measures where default standards were not found to be adequate.

The main issues identified by the CJEU in Schrems II were:

• the lack of a requirement on US law enforcement and intelligence agencies that their access to personal data be necessary and proportionate
• the lack of effective redress for EU citizens in the event of unauthorised access to their data.

The Schrems II decision was handed down before the end of the Brexit transition period which means it applies in the UK.  Overnight, lawful data protection transfers from the EEA and UK to the USA (and to other third countries), became more complex. 

What's the development?

President Biden has signed an Executive Order on Enhancing Safeguards for United Signals Intelligence Activities (EO).  The EO and related Department of Justice Rules published at the same time, seek to deal with the issues raised by the CJEU in the Schrems II decision and pave the way for a new EU-US Data Privacy Framework (previously known as the Trans-Atlantic Data Privacy Framework). The EO:

• requires US signals intelligence activities to be conducted only in pursuit of defined national security objectives and sets out bans on these activities in four specific situations, including to prevent freedom of speech. The authorities are required to take into consideration the privacy and civil liberties of individuals regardless of nationality or country of residence. They may conduct these activities only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority
• mandates handling requirements for personal information collected through signals intelligence activities, and extends the responsibilities of legal, oversight and compliance officials to ensure appropriate actions are taken to remediate non-compliance
• requires US Intelligence authorities to update their policies and procedures to reflect the requirements of the EO
• creates a multi-layer redress mechanism for individuals from qualifying states (to be designated by the USA).

Necessity and proportionality

The use of the words "necessary" and "proportionate" are clearly significant in the context of the Schrems II judgment and take over from the concept of 'reasonableness' and a requirement that surveillance be "as tailored as possible" in this context. The EO sets out the initial requirements and goes on to explain what they mean.  Essentially, a prior reasonable assessment of all relevant factors is required to establish necessity, although this doesn't mean that signals intelligence must be the only way of advancing the relevant intelligence priority.  Any signals intelligence activities must also be conducted only to the extent and in a manner that is proportionate to the relevant validated intelligence priority, with the aim of achieving a proper balance between the importance of that priority and the impact on the rights of individuals (privacy and civil liberties), wherever they are based and whatever their nationality.  In addition, more specific safeguards are introduced to set out what sort of signals intelligence data can be collected, how it can be used and shared, and for how long it can be retained.

Effective redress

The EO and accompanying Department of Justice Rules establish a two-layer redress system for any individuals concerned that their data has been unlawfully accessed, whatever the transfer mechanism under which it was transferred to the US, provided they are from "qualifying states" designated pursuant to the EO by the Attorney General.  To be designated as a qualifying state, a country must have laws which appropriately protect access of US personal information for intelligence purposes, permit the export of personal information for commercial purposes to the USA, and, in addition, the designation must advance US national interests.

Under the first layer, the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) will conduct an initial investigation to determine the validity of any appropriately submitted complaints and set out appropriate remediation where relevant.  The CLPO's decision will be binding on the Intelligence Community, subject to a second layer of review, and the EO provides protections to ensure the independence of the CLPO's investigations and decisions.

Under the second layer of review, the EO authorises the Attorney General to set up a Data Protection Review Court (DPRC) to provide an independent and binding review of the CLPO's decisions. Judges will be appointed from outside the US government and will have relevant expertise and security clearance. The DPRC will also select a special advocate with appropriate national security clearance to act in each complainant's interest.

Further oversight is provided by the Privacy and Civil Liberties Oversight Board which is asked to review Intelligence Community policies and procedures to ensure they are consistent with the EO, and to conduct an annual review of the redress process and whether the Intelligence Community has fully complied with decisions made by the CLPO and the DPRC.

Potential issues

There are concerns that the US is carrying out this process by Executive Order rather than by legislation.  While the EO has binding force, it can be more easily overturned by a future President than legislation.  It seems likely that, as with the EU-UK adequacy decision, the EU will include the right to withdraw any adequacy decision if there are changes to the US rules set out under the EO which it sees as adverse.

The Commission believes the CJEU would not strike down a new US adequacy agreement, saying the changes made by the US "address the concerns raised by the Court of Justice of the EU in the Schrems II judgment" [and] provide a durable and reliable legal basis for transatlantic data flows". 

Max Schrems (unsurprisingly), does not agree. He suggests that the US understanding of what is meant by "necessity" and "proportionality", is at odds with the CJEU's interpretation and will ultimately lead to the failure of the Framework.  He also points to the fact that the DPRC will not be a 'court' under the US Constitution but a body within the US government's executive branch, suggesting it will not meet the standards of judicial redress within the meaning of the EU Charter.  Schrems also queries whether any of this will lead to meaningful changes to the activities of US intelligence authorities, while noting the difficulties in obtaining information as to what they involve with respect to individuals. He warns: "We will analyze this package in detail, which will take a couple of days. At first sight it seems that the core issues were not solved and it will be back to the CJEU sooner or later."

Next steps

The EU will now begin a new adequacy procedure.  This will entail the publication of a draft adequacy decision.  Following this, the EDPB will provide an opinion on the draft and representatives from the EU Member States will be required to give approval.  The European Parliament also has a non-binding right of scrutiny. Once the adequacy decision is adopted by the Commission, personal data will be able to flow freely between the EU and those US organisations committing to compliance with privacy obligations and certified by the Department of Commerce under the new Framework.  The process is expected to take around four to six months, so we can provisionally expect the Framework to be in place by March 2023.  Until then, existing transfer mechanisms must be used in conjunction with the EDPB guidelines on data transfers following the Schrems II decision.

How does this impact the UK?

The EO is not EU-specific; the redress elements apply to any state designated by the US as a qualifying state with other protections applying to individuals regardless of their nationality or location.  This is good news for the UK which (at least for now) is bound by the Schrems II decision and has equivalent rules on data exports under the UK GDPR, as those in the EU.

On the same day the EO was published, the UK government published a US-UK Joint Statement on a New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy.  The Statement announced "significant progress on UK-US data adequacy discussions".  It set out the government's aim of "working expediently" to issue a US-UK adequacy decision and achieving recognition under the EO as a qualifying state.

What does this mean for you?

Organisations which are already signed up to the Privacy Shield will be relieved to learn that, while terms are being updated to align with GDPR, the commercial practices required of them are expected to remain largely the same.  However, owing to updated definitions, there may a need to update policies and self-certifications. 

There is also good news for transfers from the EEA/UK to the US under other mechanisms like Standard Contractual Clauses and Binding Corporate Rules.  Any future US or UK adequacy decision will make the case that there are sufficient protections to the rights and freedoms of individuals with regard to access to their personal data by US intelligence authorities. As such, the assessment of the US regime currently required for all transfer mechanisms, will effectively have been carried out and there should be less of an issue with supplementary protection measures.

Whether or not the future adequacy decisions hold up remains to be seen and much will depend on whether there are any demonstrable changes as a result of the EO.  But the wheels of justice turn slowly. At the very least, we are likely to see few years of easier transfers from the EEA and UK to the USA, not only for those exporting to organisations signed up to the relevant data compliance principles, but also under other data transfer mechanisms.  Businesses will hope the impact lasts significantly longer than that.