Chronique du CTI – Privacy Shield 3.0: The Future of Personal Data Transfers Under the New EU-U.S. Data Privacy Framework
Par Rachel Zuroff, Avocate
After more than two years of a perilous environment for personal data transfers between the European Union (“EU”) and the United States (“U.S.”) and much negotiation between the parties, on October 7, 2022, President Joe Biden issued an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities.” The Executive Orders paves the way to easing tensions around cross-border transfers between the EU and the U.S. and is a major step towards implementing a new EU-U.S. Data Privacy Framework (“DPF”). If successfully implemented, the DPF would allow personal data to be smoothly transferred from the EU to the U.S. for the first time since 2020 when the Privacy Shield Framework was invalidated by the EU Court of Justice (“CJEU”) in a landmark decision on data transfers, known as Schrems II.
Privacy afficionados will remember that in Schrems II, the CJEU invalidated the Privacy Shield Framework and ruled that companies moving personal data from the EU to the U.S. must ensure that there are extra measures in place to protect that information, such as standard contractual clauses (“SCCs”) and additional technical and organizational measures (“TOMs”). Prior to this decision, the European Commission had issued an adequacy decision for the Privacy Shield Framework which allowed companies to easily comply with EU requirements for transferring personal data by self-certifying under the framework and publicly committing to comply with its requirements. However, in Schrems II, the CJEU struck down the Privacy Shield Framework, finding that the U.S. did not offer an adequate level of data protection. The court’s ruling was primarily based on two findings. First, U.S. law, particularly Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and Executive Order 12333, do not limit surveillance programs to what is strictly necessary and proportional, thereby violating art. 52 of the EU Charter on Fundamental Rights (“EU Charter”). Second, U.S. law does not offer EU data subjects a right to an effective remedy or a fair trial in the U.S. in case their rights are violated by a surveillance program, and hence violate art. 47 of the EU Charter. Without a bilateral agreement in place between the EU and U.S., companies and regulators were left needing to conduct case-by-case analyses to determine what SCCs and TOMs were needed to ensure that any data transfers would be adequately protected to meet EU standards.
Following the Schrems II decision, digital rights advocacy group NOYB (found by Max Schrems) lodged 101 complaints in August 2020 with every data protection authority in the EU and European Economic Area. NOYB’s complaints allege that businesses using services provided by Google and Facebook which involve the transfer of personal data, such as Google Analytics and Facebook Connect, may no longer do so after Schrems II because the businesses cannot ensure an adequate protection of the transferred personal data. For context, Google Analytics is a service that can be integrated by websites such as e-commerce sites to track visitors and perform statistical analyses. Each visitor is assigned a unique identifier, and the identifier and associated data are then transferred by Google to the U.S. where the data is stored. Over the past two years, four European data protection authorities (“DPAs”), including Austria, Denmark, France, and Italy have found that the use of Google Analytics violates art. 44 of the General Data Protection Regulation (“GDPR”) because the tool allows personal data to be transferred outside of the EU without adequate safeguards against potential access by US intelligence agencies.
These decisions all share common features. For example, the DPAs found that the additional safeguards implemented by Google such as data encryption and IP anonymization were insufficient. First, because Google held the de-encryption keys which could be requested by US agencies under a FISA order along with the targeted data. Second, Google Analytics’ IP anonymization option was deemed to offer a form of pseudonymization rather than anonymization because users could still be identified with other data points, meaning that the users’ IP addresses still counted as personal data. Given the widespread commercial use of services such as Google Analytics, these cases highlight the critical commercial need for an effective EU-U.S. agreement on data transfers.
The DPF aims to do just that by addressing the concerns underlying the Schrems II decision and restore flourishing trans-Atlantic data flows. To ensure that data transfers under the program meet the CJEU’s essential equivalence test, the Executive Order commits the U.S. to implementing new safeguards that ensure intelligence activities are undertaken only when necessary and proportionate. The Executive Order also creates a new independent and binding mechanism to allow EU individuals to seek redress if they believe they have been unlawfully targeted by U.S. intelligence activities.
First, to ensure that intelligence activities are undertaken only when necessary and proportionate, the Executive Order states that such activities shall only be conducted following a determination that they advance a legitimate national security objective and they do not disproportionately impact the protection of personal privacy and civil liberties. To meet this criterion, the activities must align with 12 “legitimate objectives,” such as protecting against threats to U.S. personnel, and avoid four prohibited objectives, such as suppressing freedom of expression or dissent. Finally, the Executive Order prescribes certain oversight mechanisms, such as regular independent reviews of whether intelligence activities strayed outside these bounds, mandating an independent Privacy and Civil Liberties Officer and Inspector General for each section of the intelligence sector, and requiring training on the Executive Order.
To meet the second criterion of the CJEU’s essential equivalence test, namely that EU data subjects have a remedy in U.S. courts, the Executive Order creates a two-step redress system whereby qualifying complaints are entitled to a full investigation and an option to appeal to an independent body. First, the Director of National Intelligence’s Civil Liberties Protection Officer (“CLPO”) receives and investigates individuals’ claims that their rights have been violated. Following an investigation, the CLPO informs the complainant that the review either did not identify any violations or that the CLPO issued remediation measures. Once the CLPO concludes its investigation, an individual may move to the second tier of the system and apply for review to the Data Protection Review Court (“DPRC”). If the DPRC disagrees with the CLPO’s assessment, it may issue its own determination and remedial measures. The newly created DPRC is thus meant to address CJEU critiques by establishing a redress mechanism with independent judges and mandating that U.S. intelligence agencies comply with the measures stipulated by the Court.
However, the DPF will still need to receive an Adequacy Decision from the EU Commission. It will also probably face more judicial challenges from online privacy advocacy groups, such as NOYB. Finally, the CJEU may ultimately determine that legal data transfers between the EU and U.S. are impossible until Section 702 of FISA is amended. If the DPF struck down, that will probably toll the death knell for hope of re-establishing easy data transfers between the EU and U.S. until such time as FISA is amended. On one hand, perhaps this outcome could benefit EU businesses in that smaller, local companies would have the opportunity to provide digital services normally reserved by tech giants based on their monopolies of scale. It could also have the unfortunate outcome of stymying growth and competition because only the largest corporations would have the resources to implement SCCs and TOMs that would ensure an adequate level of protection for data transferred. In conclusion, a new agreement between the EU and U.S. is the most likely avenue to benefit businesses and consumers by reducing legal uncertainty and compliance costs.
In the U.S., executive orders carry the force of law.