EO 14086 and the EU-U.S. Data Privacy Framework
Locations
Not only will they form the basis of an adequacy decision by the European Commission for transfers made using the proposed EU-U.S. Data Privacy Framework, but they also provide greater legal certainty for companies transferring personal data from the EU to the U.S. using other transfer mechanisms, such as the Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).
How did we get here?
On 25 March 2022, the European Commission and U.S. government announced they had reached an agreement in principle on the proposed EU-U.S. Data Privacy Framework (Data Privacy Framework). The Data Privacy Framework is intended to revive and enhance the Privacy Shield, which was invalidated as a transfer mechanism by the Court of Justice of the European Union (CJEU) in Schrems II, and enable participating companies to freely transfer personal data from the EU to the U.S.
As part of the agreement in principle, the U.S. committed to introducing new privacy and civil liberties safeguards in connection with its signals intelligence programs in order to address the concerns raised in Schrems II. EO 14086 sets out these protections and marks an important step toward the possible adoption of an adequacy decision by the European Commission for transfers made using the Data Privacy Framework.
What safeguards have been introduced under U.S. law?
EO 14086 introduces a number of new safeguards with respect to the collection of personal data by U.S. intelligence agencies:
- First, it places new requirements on the collection and handling of personal data by U.S. intelligence agencies regardless of the subject's nationality. It requires that signals intelligence activities must be "necessary" and "proportionate" to advance a validated intelligence priority and that such activities must be undertaken in pursuit of one of twelve enumerated national security and intelligence objectives.
- Second, it expands the oversight of signals intelligence programs by U.S. government agencies. The Civil Liberties Protection Officer (CLPO), appointed by the Director of National Intelligence (DNI), must conduct an assessment prior to any new intelligence-gathering operations. Bulk collection may only be authorised where the intelligence cannot be reasonably obtained through targeted collection. Additionally, intelligence agencies must maintain documentation regarding their collection of personal data through signals intelligence and update their policies and procedures to ensure effective oversight of the new safeguards.
- Third, it creates a redress mechanism for individuals from "qualifying states" who claim their personal data has been collected unlawfully through signals intelligence programs. Individuals can lodge a complaint with the CLPO, which has the power to investigate complaints and render binding decisions against intelligence agencies. Individuals can also appeal decisions by the CLPO before the Data Protection Review Court (DPRC), which has been established through regulations issued by the U.S. Attorney General. The DPRC will consist of six or more independent judges appointed from outside the U.S. government that have expertise in national security matters. The judges will not be subject to the day-to-day supervision of the Attorney General and may not be removed or otherwise subjected to adverse action arising from their service. Individuals will be represented before the DPRC by special advocates and the decisions of the DPRC will be final and binding.
According to Q&As issued by the European Commission, the new safeguards have been specifically designed to address the concerns identified in Schrems II and represent a significant improvement compared to the Privacy Shield.
What happens now?
Following the adoption of these new safeguards, the European Commission has begun preparing a draft adequacy decision that will kick off the formal adequacy procedure under the GDPR. The procedure is outlined under Article 45 and involves several stages: (1) adequacy proposal from the Commission, (2) opinion from the European Data Protection Board (EDPB), (3) approval from representatives of the EU Member States, and (4) final adequacy decision from the European Commission. The European Parliament also has a right of scrutiny over proposed adequacy decisions.
The European Commission has said that it expects the process to take up to 6 months, so the earliest expected date for a final adequacy decision is spring 2023. The timing may also depend on whether the EDPB, EU Member States and/or European Parliament raise any objections that push the European Commission to seek additional commitments from the U.S. government.
How will companies sign up for the EU-U.S. Data Privacy Framework?
We don't yet have any details about how companies will be able to register for the Data Privacy Framework, but we do know that the new framework will essentially be modelled on the Privacy Shield. Based on this, companies may look to the Privacy Shield as a rough guide for what will be required. Firstly, companies will be required to self-certify to a set of privacy principles based on the Privacy Shield Principles. The U.S. Department of Commerce (DOC) has confirmed that the new framework will update the Privacy Shield Principles (with some modifications) and rename them the "EU-U.S. Data Privacy Framework Principles". Secondly, the registration process is likely to be very similar to the registration process for Privacy Shield. This includes preparing certain documentation, designating a contact point, developing a verification mechanism, and submitting a self-certification to the DOC – a process that usually takes several months. Lastly, the new framework will continue to be enforced by the U.S. Federal Trade Commission (FTC) and U.S. Department of Transportation. Currently, the FTC has the power to impose administrative orders, seek court orders, and issue civil penalties of up to $40,000 per day for continuing violations of the Privacy Shield.
What will this mean for companies that have maintained their Privacy Shield certification?
While the Privacy Shield was invalidated as a transfer mechanism, the program has continued to operate under the administration of the DOC. For companies that have maintained their Privacy Shield certification, the DOC has announced that it will work with these companies to facilitate their transition to the updated privacy principles under the Data Privacy Framework. At the recent IAPP Europe Data Protection Congress in Brussels, the Director of the Privacy Shield said that companies should expect to make some updates to their commitments but the commercial elements of the Privacy Shield are unlikely to change. At this stage, there are clearly benefits in remaining within the Privacy Shield until more is known about what is required to transition and the additional responsibilities and costs involved.
What do the new safeguards mean for transfers using SCCs and BCRs?
The safeguards enacted under EO 14086 will form the basis for a future adequacy decision for transfers made using the Data Privacy Framework. However, they are not limited to personal data transferred using the Data Privacy Framework and apply to all transfers of personal data to the U.S. This point has been clarified in the Q&As published by the European Commission and the statement issued by the DOC.
Effectively, this means that companies may take into account the additional safeguards enacted through EO 14086 when assessing the risks of transferring personal data to the U.S. more generally, including where such transfers are made using the SCCs or BCRs. This is a significant development that should provide greater legal certainty and stability for companies transferring personal data from the EU to the U.S.
How long will it be before the EU-U.S. Data Privacy Framework is challenged?
It's likely that the Data Privacy Framework will be challenged and this could happen as soon as the European Commission issues its final adequacy decision. NOYB, the activist organisation headed by Max Schrems, has issued an open letter to EU and U.S. officials arguing that the proposed framework is unlikely to withstand legal challenge on the basis that the new safeguards do not adequately address the concerns raised in Schrems II. At the recent IAPP Europe Data Protection Congress in Brussels, Max Schrems suggested that a case could be brought to the CJEU quickly but stopped short of confirming whether he personally intends to bring such a case. In any event, given the likelihood of a challenge, we expect companies that sign up for the Data Privacy Framework will continue to use the SCCs as a back-up mechanism.
For more information on the Data Privacy Framework, you can find a copy of EO 14086 here, the EU-U.S. joint announcement here, the Whitehouse fact sheet here, the European Commission Q&As here, and the DOJ statement here.