Privacy Shield 2.0: the Trans-Atlantic Data Privacy Framework

EP Committee publishes draft resolution rejecting Draft Adequacy Decision on DPF, 14 February 2023

Well, with previous regulators and commentators coming down on either side, and on the fence, over the DPF, no-one said it would be easy. On 14 February 2023, the Committee on Civil Liberties, Justice and Home Affairs published a draft motion for an EP resolution available [instant PDF download] here.

It’s only 6 pages so it’s a quick read but as a Valentines it’s very much ‘it’s not me it’s U[SA]’.

It’s not positive but it’s not binding and some of the points are debateable. Now for the EDPB opinion and to see how the EC reacts.

EC sends Draft Adequacy Decision on DPF to EDPB, 13 December 2022

There’s still a ways to go but we’ve more positive news on the DPF’s progress as the European Commission published its draft adequacy decision for the DPF on 13 December 2022!

As the EC notes:

“The draft adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to the US. This is based on an in-depth assessment of the Data Privacy Framework itself and its obligations for companies, as well as the limitations and safeguards on access by US public authorities to data transferred to the US, in particular for criminal law enforcement and national security purposes.”

And as to next steps, as the EC sets out in the FAQs:

“The draft adequacy decision was transmitted to the European Data Protection Board (EDPB) for its opinion.

Afterwards, the Commission will need to obtain the green light from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions.

Only after that, the European Commission can adopt the final adequacy decision, which would allow data to flow freely and safely between the EU and US companies certified by the Department of Commerce under the new framework.”

What they don’t say is that the EC can push forward on the adequacy decision regardless, the EDPB and EP views are non-binding. Given the nature of these things, there have always been various reservations and recommendations from the EDPB and EP on adequacy decisions, not all of which mean the EC reopens the negotiations. And there’s a lot of pressure to get a successor to Privacy Shield in place (not least for all the EUIs using cloud services with US aspects).

US implements Data Protection Framework (EU-US DPF), 07 October 2022

Some very welcome positive news! President Joe Biden signed an Executive Order on 7 October 2022 ‘directing the steps that the United States will take to implement the U.S. commitments under the European Union-U.S. Data Privacy Framework (EU-U.S. DPF) announced by President Biden and European Commission President von der Leyen in March of 2022.’ (White House Fact Sheet)

At the same time, the US Attorney General issued accompanying regulations on the establishment of the new court, the DPRC (more on that below).

The EO states, right at the start:

At the same time, the United States recognizes that signals intelligence activities must take into account that all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and that all persons have legitimate privacy interests in the handling of their personal information.

As the White House states, ‘These steps will provide the European Commission with a basis to adopt a new adequacy determination, which will restore an important, accessible, and affordable data transfer mechanism under EU law. It will also provide greater legal certainty for companies using Standard Contractual Clauses and Binding Corporate Rules to transfer EU personal data to the United States.‘

The EO is 15 pages long and, for example sets out 12 legitimate objectives for ‘SIGINT’ activities and 5 prohibited objectives. But the three biggest changes, and the changes likely to generate the most interest, are restrictions on data gathering, the right to recourse for EU data subjects, and restrictions on bulk collection.

Necessary and proportionate

The EO requires US signals intelligence activities (our emphasis) ‘shall be conducted only following a determination, based on a reasonable assessment of all relevant factors, that the activities are necessary to advance a validated intelligence priority‘.

Such activities must be (our emphasis) ‘conducted only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized, with the aim of achieving a proper balance between the importance of the validated intelligence priority being advanced and the impact on the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside’

These provisions address the CJEU’s key concerns. There are still arguments around bulk surveillance, but this is clearly adopting EU law wording into when such activities can take place.

Right to recourse

The EO creates ‘a multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated pursuant to the E.O., to obtain independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O.’

First, the new Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence will conduct the initial investigation of qualifying complaints received and determine the appropriate remediation. The White House states that ‘the CLPO’s decision will be binding on the Intelligence Community, subject to the second layer of review, and provides protections to ensure the independence of the CLPO’s investigations and determinations’.

That second layer of review is a new Data Protection Review Court (DPRC) to provide ‘independent and binding review of the CLPO’s decisions‘. The actual independence of the DPRC is a big area of discussion. As the White House notes, judges on the DPRC will be appointed from outside the U.S. Government, have relevant experience in the fields of data privacy and national security, review cases independently, and enjoy protections against removal. Decisions of the DPRC regarding whether there was a violation of applicable U.S. law and, if so, what remediation is to be implemented will be binding.

Restrictions on bulk collection

The EO sets out prioritisation and restrictions: ‘Targeted collection shall be prioritized. The bulk collection of signals intelligence shall be authorized only based on a determination—by an element of the Intelligence Community or through an interagency committee consisting in whole or in part of the heads of elements of the Intelligence Community, the heads of departments containing such elements, or their designees that the information necessary to advance a validated intelligence priority cannot reasonably be obtained by targeted collection. When it is determined to be necessary to engage in bulk collection in order to advance a validated intelligence priority, the element of the Intelligence Community shall apply reasonable methods and technical measures in order to limit the data collected to only what is necessary to advance a validated intelligence priority, while minimizing the collection of non-pertinent information.’

European Commission starts drafting Adequacy Decision, 7 October 2022

The EC announced on 7 October 2022 that it started to draft its adequacy decision based on the Executive Order. In its FAQ, one stands out:

‘4. Why does the Commission think that the Court of Justice of the EU will not strike down the agreement again?

The objective of the Commission in these negotiations has been to address the concerns raised by the Court of Justice of the EU in the Schrems II judgment and provide a durable and reliable legal basis for transatlantic data flows. This is reflected in the safeguards included in the Executive Order, regarding both the substantive limitation on US national security authorities’ access to data (necessity and proportionality) and the establishment of the new redress mechanism.’

Max Schrems and NOYB, 7 October 2022

Despite the movement by the USA towards EU data protection law norms, it looks like Max Schrems and NOYB will launch a challenge. For example, NOYB point out that an EO is not a law and can be overturned by a future president and, to quote some of their statement: “There is continuous “bulk surveillance” and a “court” that is not an actual court.”

Comment

So we’ll have to watch this space as the EC moves through its process, likely to complete in March 2023, and how any challenge along that path, and afterwards, pans out. But this is positive news for business in a time of high uncertainty. And as the EC points out, the steps put in place by the EO are not limited to the Privacy Shield successor:

All the safeguards that the Commission has agreed with the US Government in the area of national security (including the redress mechanism) will be available for all transfers to the US under the GDPR, regardless of the transfer tool used.

Agreement in principle reached on new Framework, 25 March 2022

White House publish Fact Sheet on new Framework, 25 March 2022

The White House published a detailed Fact Sheet the same day as speeches by the two Presidents, announcing a new Trans-Atlantic Data Privacy Framework.

The statement indicates many features are agreed, and stresses the importance of the deal in terms of trade:

‘In fact, more data flows between the United States and Europe than anywhere else in the world, enabling the $7.1 trillion U.S.-EU economic relationship.’

In terms of some of that detail:

‘For EU individuals, the deal includes new, high-standard commitments regarding the protection of personal data.’

‘For example, the new Framework ensures that:

• • Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
  • EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
  • U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards. 

Participating companies and organizations that take advantage of the Framework to legally protect data flows will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce. EU individuals will continue to have access to multiple avenues of recourse to resolve complaints about participating organizations, including through alternative dispute resolution and binding arbitration.’

The respective teams will now work to finalise the legal documents. The US and EU published a joint statement with the same information.

EC President statement on Privacy Shield successor, 25 March 2022

A year after the joint EU-US announcement to intensify negotiations (see below), European Commission President, Ursula von der Leyen, announced ‘agreement in principle’ on a new trans-Atlantic Framework:

‘And we also need to continue adapting our own democracies to a changing world. This is particularly true when it comes to digitalisation, in which the protection of personal data and privacy has become so crucial. Therefore, I am very pleased that we have found an agreement in principle on a new framework for transatlantic data flows. This will enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties. I really want to thank Commissioner Reynders and Secretary Raimondo for their tireless efforts over the past months to find a balanced and effective solution. This is another step in strengthening our partnership. We manage to balance security and the right to privacy and data protection.’

The EU has also published a Fact Sheet.

Biden refers to Privacy Shield successor, 25 March 2022

US President, Joe Biden, referred to a Privacy Shield successor on 25 March 2022 in a major speech in Brussels after meeting European Commission President, Ursula von der Leyen.

You can watch the segment from 41:06 and we’ve put a transcript below.

Keepabl transcript of relevant section of Biden’s speech

‘And I’m proud to announce that we’ve also reached another major breakthrough in trans-Atlantic data flows. Privacy and Security are key elements of my digital agenda and, today, we’ve agreed to unprecedented protections for Data Privacy and Security for our citizens.

This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and the United States, and help companies both small and large compete in the digital economy. Just as we did when we resolved the Boeing Airbus dispute and lifted the steel and aluminium tariffs, the United States and the EU are finding creative new approaches to knit our economies and our people closer together, grounded on shared values.

This framework underscores our shared commitment to Privacy, to Data Protection, and to the rule of law. And it’s going to allow the European Commission to once again authorise trans-Atlantic data flows that help facilitate $7.1 trillion in economic relationships with the EU.

So thank you again, Madam President, for your personal friendship, for your partnership and above all, your leadership. All of this is bringing the European Union and the United States even closer together. And that’s a win for all of us.’ 

NOYB’s response, 25 March 2022

Max Schrems’s NOYB organisation posted their response the same day which was, shall we say, cautious. This just highlights the intense scrutiny any successor to Privacy Shield will face.

“We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.”

“The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.“

“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”

Politico link announcement to war in Ukraine, 24 March 2022

Politico’s reported, a day ahead of Biden’s announcement, that the US was linking the need to accelerate the Privacy Shield replacement with the war in Ukraine. Biden is in Europe for NATO talks and to visit European partners.

Politico’s report notes that the legal complexities haven’t diminished but its sources state that the proposed deal ‘was based, in part, on recent suggestions from a group of privacy experts. That included the creation of a new agency within the U.S. Department of Justice to oversee how the country’s intelligence agencies handle Europeans’ data; a White House executive order to give that group hefty investigative powers; and the ability for Europeans to challenge that data collection through U.S. federal courts.’

Politico report deal nearly done, 03 February 2022

Politico’s reporting continues to lead on the Privacy Shield replacement and they now report optimistic hopes among officials for an announcement in May 2022. The full article is well worth a read.

Politico reports hopeful negotiations, 21 October 2021

Politico reported that the US has proposed an oversight structure with independent judges who would review ‘whether U.S. collection of European data was lawful and proportionate’.

Politico’s sources stress that nothing is fixed as yet and noted the similarity to the Privacy Shield’s ombudsman. Negotiating teams are reported to be meeting regularly with the aim to announce a deal by the end of the year, though Politico notes any deal will have to withstand inevitable scrutiny.

EU & US intensify negotiations, 25 March 2021

On 25 March 2021, EU Commissioner for Justice, Didier Reynders, and U.S. Secretary of Commerce, Gina Raimondo, released a joint statement regarding the negotiations on transatlantic data privacy flows:

“The U.S. Government and the European Commission have decided to intensify negotiations on an enhanced EU-U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the Court of Justice of the European Union in the Schrems II case.’

The statement is welcome but industry is keen to see a successor adequacy decision put in place.

The Schrems II decision, ‘Day Zero’, 16 July 2020

To learn more about Schrems II, see our blog: What is Schrems II and Privacy Kitchen’s video at the time of the decision: Privacy Shield is Down.