On Friday 7th October, US President Joe Biden signed an Executive Order relating to Enhancing SafeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... for United States Signals Intelligence Activities. The Executive Order directs the steps that the US will take to ensure that it implements its commitments under the upcoming EU-US Data Privacy FrameworkThe EU-US Data Privacy Framework (EU-US DPF) is a set of principles and safeguards for transferring personal data from the EU to certified US organisations. The programme took effect on 10 July 2023, replacing the invalidated Privacy Shield, and the EU Commission has since deemed transfers made from the EU to certified US organisations Adequate. .
The Framework was first announced in March 2022 and, if successful, would mean that data can be transferred between the two locations without implementing any additional measures and safeguards. We have previously commented on the initial publication of the political agreement, here.
In this blog, we look at what the new agreement aims to achieve, what are some of the issues, and whether we think a Schrems III challenge is on the horizon.
This agreement is not the first attempt at simplifying EU-US personal dataInformation which relates to an identified or identifiable natural person. transfers; in fact, it is the third. This begs the question, third time lucky?
Austrian privacy advocate Max Schrems has challenged the last two attempts (Safe Harbor and Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework.) in the Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU), claiming, successfully, that they both failed to offer sufficient protections for EU personal data. In both cases, the CJEU found that the protection of personal data offered in the US was insufficient for two main reasons:
Whilst upholding the validity of Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs) as an appropriate transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mechanism, the CJEU cast doubt over whether the SCCs in existence at the time provided sufficient safeguards. As a result of this comment, the EU’s SCCs have since been updated by the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. and are now in use.
Like the frameworks that have gone before, the current proposed framework hopes to simplify organisations’ EU-US data sharing requirements. The White House pointed out that trans-Atlantic data flows are critical to the $7.1 trillion economic relationship that exists between the EU and US. The Executive Order aims to ensure that this Framework doesn’t suffer the same fate as befell Safe Harbor and Privacy Shield by outlining changes to US laws that seek to fix the problems that have caused issues previously.
The changes include:
It is hoped that these steps will provide the European Commission with a basis upon which to adopt a new adequacy decision for the US.
So, does this mean that everything is sorted, and Schrems III will never become reality? Probably not.
The main issue centres around the concepts of ‘proportionalityA balance must be struck between the means used and the intended aim to ensure that a processing activity is proportionate.’ and ’necessityThe purpose of the personal data processing activity must not be able to be achieved by a less intrusive method.’. Even though the U.S has changed its terminology to match that of the EU (not using the old term “as tailored as feasible”), there is no indication that mass-surveillance will change in practice. “Bulk-surveillance” will be allowed to continue under the new Order and data that is sent to the U.S will likely end up in programs like Upstream or PRISM, two of the US’s largest surveillance programmes. Although the words ‘proportionality’ and ’necessary’ are found in the Order, there are some questions around whether their meaning aligns with the agreed definition under the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation)..
There is also the issue around the Data Protection Review Court. Section 3(c)(E) states that a qualifying state’s data protection authority (or an element of the intelligence agency) can apply for a review by it on behalf of the resident making the complaint. This ‘court’ is not really a court, per se, but instead a tribunal-based system or, as Noyb stated, an upgraded ombudsman system. This was something that was rejected by the CJEU in the Schrems II case.
How the ‘court’ will work has also raised some questions. It is likely to act like an additional body to the executive branch and will most likely execute a rubber stamp mechanism, rather than properly deciding on what the outcome should be. This is because the U.S government will not confirm (or deny) if you have been subjected to surveillance but will just inform you whether there was a violation or if it was remedied. Although, it is important to point out that the ‘court’ will be made up of individuals with judicial experience and will not be serving in the U.S government, nor will they be expected to have other U.S governmental duties while on the board. Considering all of the above, we have to question whether this mechanism will truly benefit Europeans by providing them with real access to justice and redress.
Finally, there is the simple question around whether the measures in place to limit the instances in which mass surveillance of EU data subjects is lawful – do they go far enough?
Civil and consumer rights groups have also raised some concerns about the Executive Order. The American Civil Liberties Union (ACLU) have stated that the Order “does not go far enough. [Failing] to adequately protect the privacy of Americans and Europeans”. The ACLU also called into question the independence of the ‘court’ and whether the decision-maker can give independent decisions. The Trans-Atlantic Consumer Dialogue (TACD) has echoed some of the concerns of the ACLU, stating that it is likely to “cause further legal uncertainty for consumers for years to come”.
Let’s be realistic, a Schrems III case or something similar is a real possibility. But, despite the concerns, the prospect of an adequacy arrangement between the EU and US is undoubtedly a really positive thing that companies and organisations on both sides of the pond would benefit from. There is no question that both time and money will be saved if a new transatlantic framework can be crafted, as many organisations spend significant sums of money implementing SCCs and additional safeguards. But this needs to be done right, to ensure that EU data remains sufficiently protected.
Following the Executive Order announcement, this latest attempt has the best shot at being successful and withstanding legal challenges. Not just because of the changes the US is making, but also because EU law has also changed since the Schrems II decision. One such case was the SpaceNet case where the CJEU confirmed that, yes, general and indiscriminate retentionIn data protection terms, a defined period of time for which information assets are to be kept. of traffic and location data is genuinely prohibited,; but added the exception of cases that may result in a threat to national security. The judgement allows for Member States the “targeted or expedited retention of such data and the general and indiscriminate retention of IP addresses”, as long as they are combatting a serious crime and are in “strict compliance with the principle of proportionality”. Thus, improved clarity over when surveillance is allowed can only help to better determine what will and will not be condoned by US agencies.
Now that Biden has issued his Executive Order, the European Commission will now consider whether the protections provided are sufficient for adequacy to be granted to the US. However, this requires a decision to be drafted and the opinion of the European Data Protection Board (EDPB) be considered (although the Commission is not bound by the findings). There is also the possibility that the Member States could block the decision; but, like the EDPB, any complaints are not binding. We expect that this processA series of actions or steps taken in order to achieve a particular end. could take months, with some kind of decision by Spring 2023. Questions and challenges from organisations and individuals (like Max Schrems) can be raised to the courts and the authorities in this time and, of course, even after it is implemented, if it gets that far.
For now, organisations will need to continue using existing transfer mechanisms until a new adequacy decision is granted by the EU Commission.
It is important to note that this decision only affects the EU and, if adequacy is decided, only the EU would automatically be seen as a qualifying state by the US. That being said, the UK has expressed interest in creating its own similar framework with the US. The Department of Digital, Culture, Media and Sport (DCMS) only recently published a press release expressing an interest in a potential adequacy agreement with the U.S. The U.S will then have to accept us as a ‘qualifying state’, as per the Executive Order. But again, until decisions are finalised and formal, organisations should continue using the International Data Transfer Agreement or the AddendumAn additional document that modifies, clarifies, or supplements the terms of an existing legal document without nullifying the original content. to the EU SCCs to transfer personal data to the US.
Ultimately, for now, the message for both the EU and UK is clear – watch this space…
Fill in your details below and we’ll get back to you as soon as possible