Calmer waters in sight? The European Commission publish their draft adequacy decision for the EU-U.S. Data Privacy Framework

Data flows in the digital economy continue to grow - frictionless cross-border data flows are vital to the use of cloud, AI, machine learning and IoT, alongside core operations such as human resources and financial transaction. This decision is designed to reduce the friction in data flows between the US and EU and once adopted will provide a potential route for transfers of personal data from the EU to the US without need for further safeguards.  

There is now much debate about the robustness of the decision and whether it will enable proportionate and sustainable compliance for companies. The wider question is whether it will enable long term confidence in the GDPR’s ability to balance protection and enable data use.

The Commission’s decision is also important as it shows how two major digital economies look to enable interoperability between their legal systems, whilst respecting the legal and constitutional context of both jurisdictions.

This week has also seen a further positive announcement, with the OECD publishing the Declaration on Government Access to Personal Data Held by Private Sector Entities. This much welcomed agreement on common principles among OECD members (including the US, EU member states and UK) will create a new baseline and reference point that OECD Members will consider when developing measures related to data flows. We will blog more about this soon. 

The story so far

The Court of Justice of the EU’s (CJEU) judgment of July 2020 (Schrems II) invalidated the EU-US Privacy Shield (the Privacy Shield). It did not declare the EU’s Standard Contractual Clauses (SCCs) invalid but made clear that further safeguards would needed for data transfers to the US, related to access to personal data for national security purposes. 

It has been a long two years of uncertainty and companies have exhausted significant resources to keep data flowing in compliance with the GDPR and the Schrems II judgment.  Significant challenges to the use of core digital services, such as cloud, office suites and web analytics have all emerged, following decisions and reports from EU Data Protection Authorities applying the judgment.  The guidance produced by the European Data Protection Board has also presented practical challenges and has been resource intensive to implement in practice.

Since the judgment in July 2020 the EU and US and have worked hard to find a solution to implement the relevant aspects of the ruling.  In March 2022 we had the announcement that they had reached agreement in principle on a new EU-US Trans-Atlantic Data Privacy Framework, and a detailed solution would be available in due course, including a new Executive Order and Data Protection Review Court. 

On 7 October 2022 President Biden issued an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities and the Department of Justice added new regulations as well.  On the 13 December 2022 the Officer for the Director of National Intelligence also issued new Implementation Procedures. 

The new EU-US Trans-Atlantic Data Privacy Framework (DPF) and Executive Order 14086

1. Access to European data by US intelligence agencies must be limited to what is necessary and proportionate to protect national security.
2. EU individuals must be able to obtain redress about the collection and use of their data by US intelligence agencies via an independent and impartial redress mechanism. 

The Executive Order

The new US Executive Order 14086 (EO) is detailed and forms the basis of the DPF; setting principles, criteria, objectives, policies, procedures, different layers of oversight and redress. The EO also builds on the safeguards and requirements of existing US law: Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 123333 on United States intelligence activities. It also replaces much of the Presidential Policy Directive (PPD 28).

The key principles contained in section 2(a) of the EO address necessity and proportionality. They contain language such as “that the activities are necessary to advance a validated intelligence priority” and “signals intelligence activities shall be conducted only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized”. The EO also sets out ‘rigorous oversight’ is required.

It contains a list of legitimate objectives that can be pursued in signals intelligence collection as well as prohibited objectives. A process for validation of signals intelligence collection priorities is also set out. The EO requires “consideration of the availability, feasibility, and appropriateness of other less intrusive sources and methods for collecting the information necessary to advance a validated intelligence priority.” Collection must be as tailored as feasible.

Whilst the EO recognises that bulk signals collection can be authorized it states that “targeted collection shall be prioritized” and sets out the permitted objectives for use of bulk collection.

The EO then sets out criteria for minimization and dissemination, data access, security, retention and data quality.  Meaning that the EO contains much clearer and explicit mapping to EU principles than before, noting that PPD28 wasn’t drafted with insight from the Court’s judgment, though it was produced to address concerns following the Edward Snowden revelations.

In terms of policies and procedures of the US intelligence community, the EO makes clear they must be updated in line with the EO, within one year, and the Privacy and Civil Liberties Oversight Board (PCLOB) will have oversight.

A further layer of oversight is set out for “significant incidents of non-compliance” involving senior level officials such as an Inspector General and Privacy and Civil Liberties Officer.

Finally, the EO sets out the Signals Intelligence Redress Mechanism, which provides several layers. Firstly through the Privacy and Civil Liberties Officer.  A complainant or an element of the Intelligence Community can then apply for review by the Data Protection Review Court and a special advocate will be selected by the Court to advocate the complainant’s interest. It is also clear that Data Protection Review Court panel can make its own independent determination and disagree with the Privacy and Civil Liberties Officer, and decisions have binding effect.

The Data Protection Review Court (the DPRC) is set up under the Attorney General’s (AG) authority and judges are appointed. This recognises the unique and independent role of the AG. It also clear that the AG cannot interfere with the workings of the DPRC. There are clear rules about the independence of the judges, including a prohibition on any other US government employment. The EO also sets out the requirement for impartial determination and that the DPRC must follow rulings of the Supreme Court. In addition, the functioning of the mechanism is subject to annual review by the PCLOB.

The commercial principles

To rely on the EU-US Data Privacy Framework, organisations must adhere to certain commercial principles and self-certify as to their compliance. It is worth noting that even though the commercial principles under the EU-US Privacy Shield were not struck down by CJEU in July 2022, the commercial framework will now also be updated. The Privacy Shield name will disappear as the new framework takes over.  The US Department of Commerce stated in October:

“The EU-U.S. DPF will also update the privacy principles that companies adhere to under the EU-U.S. Privacy Shield Framework and rename them as the “EU-U.S. Data Privacy Framework Principles”….U.S. companies. The U.S. Department of Commerce will work with current Privacy Shield participants…to facilitate the transition to the updated privacy principles under the EU-U.S. DPF”

The Commission’s draft adequacy decision

This package of measures therefore explicitly addresses the CJEU judgment and GDPR, in a way that the package under the Privacy Shield did not. It requires less reading across, and matching of equivalent terms and principles, and the Ombudsperson model from the Privacy Shield is no longer used.

As expected, the Commission’s positive adequacy decision is full of detail in its explanation of how the DPF now meets the test of essential equivalence under GDPR and the key areas identified by the CJEU. The document itself stretches out over 134 pages and a full read is therefore not for the faint-hearted, but the core legal text is contained in pages 2-58 and the analysis on access and use by U.S. public authorities for national security purposes starts on page 30.The sections on necessity and proportionality, and redress, are set out in painstaking detail, building a methodical case for how the EO meets the tests from Schrems II.

The annex of the draft decision contains the updated EU-US Data Privacy Framework commercial principles issued by the US Department of Commerce, as mentioned above.

As the Privacy Shield was issued under the previous Data Protection Directive 95/46, references in the commercial principles to the old law have now been replaced by the GDPR. Otherwise, the substantive elements of the principles (such as notice, choice and access) all appear to be as before.  It is worth noting that, as you would expect, the GDPR definition of personal data is now referenced in the principles, making clear that this broader definition must be applied when relying on the EU-US Data Privacy Framework when transferring personal data.

At the time the DPF takes effect, a 3-month window will start during which time previous participants of the Privacy Shield who wish to take advantage of the EU-US Data Privacy Framework will need to update their privacy policies.  We can expect guidance on this from the US Department of Commerce next year.

Other transfer tools

EU data exporters can also rely on the new safeguards set out in the EO when using other transfer tools, such as standard contractual clauses and binding corporate rules, for EU-US personal data transfers. This is a welcome benefit of the Commission’s decision, as many companies will not certify under the DPF and will continue to use standard contractual clauses as their transfer mechanism.

Future legal challenge?

It seems likely that future challenges will focus on whether the EO does indeed effectively provides essential equivalence to the concepts of necessity and proportionality, in definition and practical effect. The Commission’s decision now makes a strong case that these concepts are addressed in the US framework and will be implemented in practice. The recent statement by the Hamburg Data Protection Authority about the EU gives a positive indication on this aspect:

“The Executive Order creates guarantees for European citizens against the American secret services. The USA has thus moved a long way towards the European tradition of fundamental rights. The rather knee-jerk and sweeping criticism that can sometimes be read is therefore inappropriate”

Speaking at a Politico event about the DPF on Monday 13 December 2022, Bruno Gencarelli from the European Commission pointed about that necessity and proportionality are not just European concepts.  They are recognised in a number of fields of international law, and can translate and apply in the US legal system.

The question of large scale or bulk processing will also arise and was mentioned by the Hamburg DPA as an outstanding concern. Though we should note that the European Court of Human Rights, in the Big Brother Watch case from 2021, found that bulk interception does not in itself violate the European Convention on Human Rights, given the “multitude of threats States face in modern society”. For bulk collection the questions should focus on the safeguards. It can also be argued that there is a difference between bulk collection with safeguards compared to general and indiscriminate data collection. It is important to note that EO 12333 already contains prohibitions on bulk collection within the US and access to data in the US should be the focus of the adequacy decision, given the compliance issue relates to personal data exported to the US, not data in transit. 

The draft decision also makes a strong case that the Data Protection Review Court (DPRC) can be seen as essentially equivalent to expectations set in EU law, including in relation to rights under the EU Charter of Fundamental Rights. There will be deep scrutiny by the data protection community of the effectiveness of redress and independence of the DPRC. There has been a range of commentary in the legal and academic press, including some positive views as to parallels between the proposed DPRC and other quasi-judicial redress mechanisms in the EU. Some commentators have highlighted for instance how the US DOJ regulations that underpin the DPRC have binding effect.

Speaking at the Politico event, EU Commissioner for Justice, Didier Reynders, was ‘quite confident’ about the decision withstanding challenge in the CJEU. When pressed for a number out of 10, he said ‘7/8’ – clearly it seems likely that Mr Reynders would need to posit a reasonably optimistic and confident number here, so whether much can really be read into this remains to be seen. He also said the Commission was ready for this challenge and it seemed very likely to happen.

Unsurprisingly, however, Max Schrems, who now heads the civil society group NOYB, has issued the following statement this week:

“We will analyze the draft decision in detail the next days. As the draft decision is based on the known Executive Order, I can't see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again - in flagrant breach of our fundamental rights”

As noted above, a challenge may be inevitable, but given that the US and the EU would have known this to be the case, one can assume that there will have been a rigorous testing of the analysis and it is pleasing to see that commentators who have less of a vested interest on one side or the other are not immediately identifying lacunae in the proposals.  Many commentators are indicating a measured optimism about future prospects.

What happens next?

The following stages now need to take place, before the decision can be adopted and take legal effect.  It is estimated that the process will take around 6 months, so we can expect a final decision around June 2023.

• The European Data Protection Board will issue a non-binding opinion. We can expect this to be detailed given the previous opinions issued on the EU-US Privacy Shield and Japan.
• The European Parliament can also adopt a non-binding position and scrutinize the decision. Given the importance it seems very likely it will adopt a position.
• The European Commission must seek approval from a committee composed of representatives of the EU Member States.

Once the decision is adopted, the process of review will be as per the terms of GDPR Article 45(3) – there will be a periodic review once a year and review at least every four years. This is different to the UK adequacy decisions, which included a sunset clause that strictly limits their duration and means that the decisions will automatically expire four years after their entry into force. This was to guard against risks that stemmed from UK divergence, the Commissions clearly felt this risk was not present with the US, despite the US Presidential election coming in 2024.

What should companies do now?

A benefit of the Commission’s approach is that the decision will benefit all transfer tools, as mentioned above. Once adopted, it will enable companies to swiftly streamline their approach on US data transfers using tools such as SCCs. For example, Transfer Impact Assessments can be shortened and updated to reflect the new position.

Some companies may consider whether to move to certification under the new DPF and switch from using SCCs. There will be a range of factors that influence this decision, including an assessment of the risks of legal challenge in the CJEU. Businesses will also need to consider implementation costs and how well the certification approach fits the business model and relationship with business partners, plus sector take up. Certification may also bring some wider benefits such as transparency to users about standards and accountability met.

What about the UK?

It is clear that the UK intends to put a US adequacy decision in place soon as well.  UK Digital Secretary Michelle Donelan met with US Secretary of Commerce Gina Raimondo in October 2022 and their announcement signalled an intention to “conclude the adequacy work in the weeks ahead.” Their statement also noted that “The US intends to work to designate the UK as a qualifying state under the EO, assuming the conditions for such designation can be satisfied, which would enable UK individuals who submit qualifying complaints to access the redress mechanism established under the EO.”

We can therefore be confident that UK companies should be able to benefit from the arrangement at the same time as EU companies, or even earlier (if UK Ministers are feeling competitive).

It is worth noting that the UK process for adequacy is different to the EU’s and there isn’t a requirement for the UK Government to publish a draft.  Before making UK adequacy regulations, the Secretary of State is required to consult the ICO and such other persons as the Secretary of State considers appropriate (section 182(2) of the DPA 2018).  This process take places in confidence until the regulations are ready to be laid in Parliament and the ICO will then publish its opinion.