U.S. Fulfills Commitments for Implementing EU-U.S. Data Privacy Framework
The U.S. Secretary of Commerce, Gina Raimondo, issued a statement on July 3, 2023, announcing completion of commitments by the U.S. for implementing the Trans-Atlantic Data Privacy Framework (the "Framework"). The Framework was originally announced in March 2022 after the European Court of Justice, citing concerns about lack of redress and other protections for individuals whose personal data is collected under U.S. signals intelligence authorities, invalidated the previous framework for conducting international transfers (the Privacy Shield).
In October 2022, President Biden issued Executive Order 14086 (EO 14086) on enhancing safeguards for U.S. signals intelligence activities to address the concerns of the European Court of Justice, and thereby facilitate the creation of a new streamlined mechanism for international data transfers (see our discussion of the Executive Order here).
Executive Order 14086 required additional administrative action to be fully implemented, and Secretary Raimondo's announcement confirms that the last of these administrative actions have been completed.
Specifically, the U.S. Attorney General has designated the EU, Iceland, Liechtenstein and Norway as "qualifying states" for purposes of implementing the redress mechanism established under EO 14086, including providing residents of these "qualifying states" access to the newly-established Data Protection Review Court (DPRC). The DPRC is authorized to independently review determinations made by the Civil Liberties Protection Officer (CLPO) of the Office of the Director of National Intelligence (ODNI) in response to qualifying complaints sent by individuals through appropriate public authorities that allege certain violations of U.S. law in the conduct of U.S. signals intelligence activities. The "qualifying state" designation will become effective upon the adoption of an adequacy decision by the EU for the Framework.
In addition, ODNI issued a statement announcing the release of Intelligence Community (IC) procedures for implementing new safeguards contained in Executive Order 14086. The procedures for Intelligence Community members – including the CIA, DEA's Office of National Security Intelligence, FBI and NSA, among others – were developed in consultation with the U.S. Attorney General, the ODNI CLPO, and the Privacy and Civil Liberties Board.
ODNI's set of policies and procedures for EO 14086 include the following new safeguards for personal information collected through signals intelligence:
- Guidelines for disseminating "personal information of non-U.S. persons collected through signals intelligence" (non-U.S. PI), including limiting dissemination to circumstances in which comparable information concerning U.S. persons is permitted under section 2.3 of EO 12333;
- Data retention protocols such that retaining non-U.S. PI is allowed only if retention of comparable information concerning U.S. persons is permitted under applicable U.S. law, Presidential directives, IC directives, and procedures required by section 2.3 of EO 12333;
- Data security and access protocols such that personal information collected through signals intelligence must be maintained in "secure, certified, and accredited" facilities with access restricted to personnel who have completed all required training and have a need to access this information in the performance of authorized duties in support of ODNI missions;
- Standards relating to the relevance, quality, and reliability of personal information collected via signals intelligence activities, including consideration of alternative sources of information and interpretations of data, and objectivity in performing analysis;
- Periodic audit and review of ODNI's implementation of these policies and procedures shall be undertaken by the CLPO and reported to the DNI regarding application of the safeguards; and
- ODNI shall comply with any CLPO determination to undertake appropriate remediation, subject to any contrary determination of the DPRC, and, further, shall comply with any determination by a DPRC panel to undertake appropriate remediation.
Looking Ahead
In December 2022, following President Biden's issuance of EO 14086, the European Commission (EC) adopted a draft Adequacy Decision that would create a new transfer mechanism for EU-US transfers of personal data (see our discussion here). The European Parliament followed with a resolution urging the EC not to adopt the Adequacy Decision in its current form, and the European Data Protection Board issued an opinion on the draft Adequacy Decision that expressed some reservations. The EC will have the final say regarding whether the Adequacy Decision is implemented, and that decision is expected to be released in the coming months. In fact, the European Commission's "Committee on the protection of individuals with regard to the processing of personal data and on the free movement of such data (2018)" voted in favor of adequacy for the Framework. Twenty-four Member States voted in favor with three abstentions. It is still necessary, however, for the European Commission to formally make an Adequacy Decision.
However, it is likely that any Adequacy Decision will be challenged in court and will take several years to be decided. Austrian privacy activist Max Schrems said he might challenge any Adequacy Decision based on EO 14086 with his advocacy group "None of Your Business" (NOYB). NOYB issued a statement quoting Schrems as saying he "can't see how [the Adequacy Decision] would survive a challenge before the Court of Justice." NOYB followed up with another statement that "any EU ‘adequacy decision' that is based on Executive Order 14086 will likely not satisfy the CJEU."
These implementing measures will have some immediate effect on the international data transfer landscape. For example, when deciding that international transfers to the U.S. based on the Standard Contractual Clauses did not provide adequate protections for EU citizens' personal data, the Irish Data Protection Commission noted that once implemented, EO 14086 (and by extension, the Framework) could potentially serve as a valid international data transfer mechanism. Specifically, the Irish DPC stated that once EO 14086 has been fully implemented, the "additional protection may serve to enable lawful transfers to the U.S. again."
As such, businesses conducting international transfers of personal data from the EU to the U.S. should factor these implementing actions into their transfer impact assessments.
DWT's Privacy and Security team regularly advises clients regarding international data transfers and will continue to closely monitor developments with the Framework.