On October 7, 2022, President Biden signed an executive order implementing the EU-U.S. Data Privacy Framework. Announced in March, this framework replaces the Privacy Shield program that the EU Court of Justice invalidated in July 2020 with its Schrems II decision. That decision stated that the United States did not provide a level of data protection that was “essentially equivalent” to that provided within the EU because signal intelligence surveillance by U.S. agencies was considered too broad and EU residents were not provided with effective remedies.
The new framework is intended to facilitate the cross-border transfer of personal information from the EU to the U.S. in compliance with the EU’s General Data Protection Regulation (GDPR). The executive order specifically addresses the process by which the U.S. intelligence community handles the personal data of EU residents and responds to complaints from EU residents. Detailing the commitments made in the March announcement, the executive order provides the basis for the EU to proceed with an “adequacy” decision under the GDPR regarding cross-border data transfers. With these additional protections in place, it is expected that a revised cross-border transfer framework can be finalized in the next few months.
According to the White House Fact Sheet accompanying the March announcement, the new framework requires that U.S. intelligence agencies may only conduct data-gathering operations that are necessary to advance legitimate national security objectives, and which do not disproportionately impact individual privacy and civil liberty interests. The independent Privacy and Civil Liberties Oversight Board is charged with reviewing the U.S. intelligence community’s implementation of the new principles and procedures, including the outcome of redress decisions, and conducting annual compliance reviews.
The revised framework establishes a multi-tiered process by which EU residents can seek redress for alleged violations, replacing the government “ombudsperson” process rejected as inadequate by the EU court. As a first step, EU residents can lodge complaints with the Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence, who will perform an initial investigation and make binding decisions. As a second level of review, the U.S. Department of Justice will establish an independent Data Protection Review Court comprised of independent judges who will review the CLPO’s decisions and “have full authority to adjudicate claims and direct remedial measures as needed.” EU residents may file complaints via “special advocates” to represent their interests.
More than 5,300 companies participated in the Privacy Shield program before it was invalidated. Further, the decision invalidating Privacy Shield raised concerns about the adequacy of alternative data transfer mechanisms, including standard contractual clauses and binding corporate rules. The safeguards and provisions contained in the March announcement and October 7 executive order would also apply to data transferred under these alternative mechanisms.
The next step is for the EU to conduct a determination as to whether the U.S. commitments meet GDPR’s “adequacy” standard for the transfer of personal data, a process anticipated to take about six months. Once ratified by the European Commission, participation in the revised framework will require that companies self-certify their adherence with the U.S. Department of Commerce. Although any adequacy determination is likely to be challenged in the EU courts, the new framework will create much greater certainty for the many organizations that depend on cross-border data flows to drive the trillions of dollars in annual cross-border commerce.
Crowell and Moring will continue to follow developments on these issues and provide ongoing updates.