US Moves to Finalize “Privacy Shield 2.0” for EU-US Data Transfers

In a long-awaited move, the Biden administration has by executive order mandated new legal safeguards over United States intelligence agencies’ access to and use of European Union (“EU”) and United States (“US”) personal data.

The executive order, along with regulations issued by the Attorney General, brings the United States one step closer to finalization of an EU-US Data Privacy Framework (“DPF”) intended to address the 2020 invalidation of the EU-US Privacy Shield by the European Court of Justice (“CJEU”) in the Schrems II decision. It is a critical step in the implementation of the agreement reached in principle with the EU and announced in March this year. Schrems II saw the ECJ determine that US data surveillance laws like Section 702 of the Foreign Intelligence Surveillance Act (FISA) made it impossible for businesses to ensure that, once transferred, personal data in the United States would receive equivalent protections to those in the EU.

Criticism of Schrems II included that the CJEU overlooked that the vast majority of US-based businesses that relied on the US-EU Privacy Shield were unlikely to ever be subject to a Section 702 FISA request, or had data relevant to national security. Since the Privacy Shield’s invalidation, US-based businesses have predominantly relied on Standard Contractual Clauses (“SCCs”) and other ad-hoc solutions to legally underpin transatlantic data transfers from the EU to the US, but the long-term suitability of such approaches is as yet unclear and unlikely to be as attractive to businesses as a full legal framework.

For these businesses, the DPF is a welcomed step towards a standardized transfer framework for an EU-US economic relationship valued at over 7 trillion dollars, though concerns around the potential for a future invalidation of the DPF by the CJEU remain. By press release, the European Commission (“EC”) indicated it would now move to draft an adequacy decision and initiate the adoption process. Typically this process can take several years although it is likely that the draft adequacy decision will in this instance be prioritized.

The White House Fact Sheet on the DPF Order identifies five main areas of action:

1. Safeguards for U.S. Signals Intelligence Activities: Limits US Signals Intelligence (i.e., spy agencies) activities to the pursuit of national security objectives, after consideration of the privacy and civil liberties of all persons, and to be conducted only when necessary to advance a validated intelligence priority and only in proportion to the importance of that priority.
2. Handling Requirements: Mandates handling requirements for personal information collected through intelligence activities and extends responsibilities for legal, oversight, and compliance officials to ensure remedial actions.
3. Policy and Procedure Updates: Requires updates by the Intelligence Community to reflect new privacy safeguards;
4. Creation of multi-layer Review Board & Redress Process: to allow individuals to obtain an independent and binding review and redress of claims that their personal data collected through US signals intelligence was collected or handled in violation of applicable US law, including the enhanced safeguards set forth in the E.O.
5. Oversight Board Review of Intelligence Community Policies and Procedures: Requires the existing Privacy & Civil Liberties Oversight Board to review the Intelligence Community Policy and Procedure updates to ensure compliance with the Executive Order and to conduct an annual review of the redress process.

According to the EC’s Press Release, the Executive Order was the result of ongoing negotiation between US and EU officials and addresses to the EC’s satisfaction the concerns of the CJEU as described in Schrems II.

European consumer rights organizations and Max Schrems appear not to agree.  Schrems argues that the Executive Order’s protections do not go far enough.  In a statement published on Schrems’s None of Your Business (NOYB) website and entitled “New US Executive Order Unlikely to Satisfy EU law,” Schrems noted that the redress board is not an Article III court: “We have to study the proposal in detail but at first glance, it is clear that this ‘court’ is simply not a court. The Charter has a clear requirement for ‘judicial redress’ – just renaming a complaints body a ‘court’ does not make it an actual court. The details of the procedure will also be relevant to see if this can satisfy EU law.” The importance of Schrems and NOYB to the EU-US data transfer framework cannot be overstated, as Schrems’ legal challenges led to the 2015 invalidation of the Safe Harbor transfer framework (following the 2013 Edward Snowden revelations), and the 2020 invalidation of Privacy Shield. A challenge by Schrems to the EC’s forthcoming adequacy decision will call the long-term viability of this Executive Order into question.

For now, US and EU-based businesses may continue to evaluate the use and critical implementation of SCCs and other data transfer mechanisms to effectuate transfers of personal information from the EU-US and continue to leverage counsel for assessments of data transfer mechanisms. It will be of particular interest to large technology companies, many of whom have a significant and long-standing presence in the EEA, including Ireland.