On October 7, President Joe Biden signed an Executive Order (EO) on Enhancing Safeguards for United States Signals Intelligence Activities, which is intended to move forward next steps in the EU US Privacy Shield Framework negotiations, colloquially known as “Privacy Shield 2.0.” The EO strengthens privacy safeguards around US intelligence data collection and is intended to put the US and European Union closer to a new agreement for US companies to transfer data from Europe to the United States in accordance with the EU General Data Protection Regulation (GDPR).
By way of background, in July 2020, the Court of Justice of the European Union (CJEU) ruled in favor of privacy activist Max Schrems in a case known as Schrems II, striking down the prior EU-US Privacy Shield Framework due to concerns about US surveillance of EU residents, sending thousands of US companies into limbo and scrambling to put in place an alternative cross-border transfer mechanism (e.g., the EU Standard Contractual Clauses). Schrems II also laid out additional steps that companies wishing to transfer personal information to the United States and other jurisdictions not considered “adequate” from a privacy perspective had to undertake, on a case-by-case basis, to confirm whether the protections they offered met EU standards. The net effect created extreme complexity and uncertainty for organizations worldwide. Since that time, EU and US authorities have engaged in intense negotiations of an updated Privacy Shield. The new EO appears to be the next effort on the US side to move the process forward.
The new EO restricts electronic surveillance by US intelligence agencies to activities “only in pursuit of defined national security objectives,” and also allows Europeans and other eligible individuals to complain to the Office of the Director of National Intelligence if they believe their data was collected in a manner violating the new standards. In addition, individuals would be able to appeal their case to the Data Protection Review Court, a newly-created independent court with judges from outside the US government who have relevant experience in both data privacy and national security. The Data Protection Review Court will have powers to investigate complaints, including within US intelligence agencies; and, if the data was collected in violation of the EO, order that it be deleted.
US Secretary of Commerce Gina Raimondo said in a statement that the framework “fully address[es]” the Schrems II ruling and provides “a durable and reliable legal foundation and certainty for transatlantic data flows.” She plans to transfer a series of documents regarding the new framework to her EU counterpart, European Commissioner for Justice Didier Reynders, who will assess the sufficiency of the data protection measures with an eye toward restoring the adequacy decision that previously applied to Privacy Shield. Reynders also expressed optimism about the framework, calling it a “significant step in our determination to restore safe and free transatlantic data flows.”
However and not surprisingly, Schrems himself expressed skepticism about the new framework, predicting that the package “will be back to the CJEU sooner or later.” Other consumer watchdogs also have doubts. The American Civil Liberties Union said in a statement that the order “does not go far enough,” and BEUC (Bureau Européen des Unions de Consommateurs), a European consumer group, said in a press release that the framework is “likely still insufficient to protect Europeans’ privacy and personal data when it crosses the Atlantic.” Nonetheless and in spite of the almost certain challenge by privacy advocates in the EU and even potential opposition at home, the EO represents a significant step toward restoring an adequacy decision for the US program and related smooth data transfers between the US and EU. We will track developments closely, particularly reactions from Reynders and EU authorities in general. In the meantime, organizations should continue to work toward implementing or updating their current cross-border transfer solution, particularly the transition to the new EU Standard Contractual Clauses, as the December 27, 2022 deadline for that change is fast approaching.