Why the New EU-U.S. Data Privacy Framework Provides Privacy Protections Equivalent to EU Law
For the past few years, European and global businesses have faced significant legal uncertainty about their data transfers. In 2020, the European Court of Justice (CJEU) took issue with U.S. national security laws in its Schrems II decision, effectively invalidating the Privacy Shield framework that had allowed for transatlantic data flows since 2016.
Following, and in connection to this CJEU ruling, several EU data protection authorities took far-reaching actions affecting data transfers. European Union authorities have ruled against the use of many online services used daily by European consumers, businesses, and public sector employees — from video conferencing software and email marketing services to website analytics, and content delivery services used to reduce website latency. However, the newly announced EU-U.S. Data Privacy Framework promises to end this cloud of uncertainty.
In October, the United States announced a new Framework — consisting of an Executive Order (EO) and accompanying Department of Justice regulations — that introduces unprecedented safeguards to protect the privacy of Europeans in U.S. national security investigations. The new Framework imposes binding data access limitations on all U.S. agencies and creates an independent redress mechanism for Europeans to enforce these protections.
Now, many may wonder whether this new Framework actually provides a level of data protection to Europeans that is “essentially equivalent” — which is the requirement introduced by the CJEU in 2020 — to the privacy safeguards found in the EU. In other words, is the Framework Schrems-proof?
We think it is. Beyond the Schrems decisions, the CJEU has developed extensive case law describing the necessary permissions and privacy limitations for governments to obtain people’s private information, including concerns related to EU governments’ data collection laws and practices in national security matters. Below, we outline how the new U.S. Executive Order adheres to what the CJEU decisions require, concluding the Framework does indeed provide “essentially equivalent” protection to what is granted under EU law.
Clear, Precise, and Accessible Rules
The CJEU ruled on several occasions that a state’s intelligence program must follow clear, precise, and accessible rules when collecting personal information. Meaning that the laws or regulations governing the collection must be binding and describe the criteria that permit agencies to use these authorities.
The Executive Order addresses the CJEU’s initial concerns by creating a new set of rules that will govern how U.S. intelligence agencies are to conduct data collection and signal intelligence activities in particular, which is the collection of intelligence from communications and information systems. The civil liberties protection officer of the Office of the Director of National Intelligence is now responsible for assessing if the proposed signal intelligence collection priorities fall under “legitimate objectives” for targeted collection (e.g. protecting against terrorism or the integrity of U.S. elections and infrastructure), objectives permissible for indiscriminate collection (“bulk”), or prohibited objectives (i.e. suppressing free expression).
Although the President may update these objectives later, the EO specifies that targeted collection must still be prioritized over bulk collection. The Order further requires the head of each element of the intelligence community to timely publish its procedures and policies, such as mandating the reporting of any “significant incident of non-compliance”. The CJEU is likely to find this expansive and transparent framework to be much clearer than what was previously provided by the Presidential Policy Directive-28 (PPD-28) and Privacy Shield.
Adhering to “Proportionality and Necessity” for Government Signal Intelligence Activities
The EU Court of Justice also requires that the proposed government collection of data must be necessary and proportionate to the specified public interest objective. The determination requires measuring the seriousness of the interference (i.e. targeted versus bulk collection) and verifying the legal basis for the collection. The CJEU in its Privacy International and La Quadrature du Net & Ordre des Barreaux decisions reaffirmed that domestic legislation could not permit the general and indiscriminate collection of communication data.
The CJEU noted that a genuine and serious threat to an EU Member State’s national security could justify more serious interference, including temporarily requiring communication services to generally and indiscriminately retain traffic and location data. However, the CJEU made clear that signal intelligence activities must adhere to the principle of proportionality by outlining the process for determining when such collection is appropriate.
This is precisely what the EO now foresees. First, it creates new restrictions for bulk collection and limits its use to only certain objectives and when targeted data collection is unavailable. How these restrictions will be implemented in practice will depend on several factors like the “availability, feasibility, and appropriateness” of other less intrusive methods, the steps taken to limit the scope of the collection, the nature and sensitivity of the data, and the nature of the pursued objective.
The EO also imposes new safeguards for the handling of personal information like data minimization and data security. Indeed, the EO’s new requirements around necessity and proportionality again build upon the shortcomings of Privacy Shield with clearer and more comprehensive considerations.
As far as bulk surveillance is concerned, similar standards and conditions should apply to both EU Member States and non-EU jurisdictions as the Court of Justice seeks to ensure “essentially equivalent protection” of Europeans’ personal data regardless of where the data is processed, and by whom.
Establishing Independent Oversight and Redress Mechanisms
Another important factor for the CJEU to find “essentially equivalent” has been whether independent oversight and effective redress of individual privacy violations are provided. Specifically, the Court held that the oversight body and its members must be independent of the executive and have the ability to effectively verify whether a program adhered to the appropriate safeguards during the collection and processing of the data. The oversight body must have the ability to access the relevant information, be free of discretionary removal, and have the power to adopt binding remedial decisions upon intelligence services.
The EO provides new binding and substantive safeguards for residents of “qualifying states” — including EU residents. An individual can now submit a qualifying complaint to the Office of the Director of National Intelligence (CLPO) if there is an allegation that a “covered violation” occurred — a signals intelligence activity adversely affected the complainant’s privacy and civil liberties interest and violated applicable U.S. laws.
The CLPO has the authority to issue a binding determination upon intelligence community agencies and identify appropriate remediation if a violation is found. And the Data Protection Review Court (DPRC) judges are empowered with full investigatory powers and the authority to issue orders to an agency to undertake appropriate remediation (such as deleting the specific data gathered in violation).
While the DPRC is closer to an independent administrative body than a judicial court, this new structure provides a much stronger redress mechanism than what was afforded by the Privacy Shield’s Ombudsperson — who lacked the authority to investigate complaints (security clearances and expertise), issue binding decisions (remedial action), and have sufficient independence (appointment and removal provisions) from the executive branch.
The transatlantic business community now eagerly awaits the European Commission’s “adequacy decision” that will formally recognize the new Framework after approval by all 27 Member States. The Executive Order and Department of Justice regulations, however, already became effective on October 7, 2022 and will continue to be binding on all U.S. intelligence agencies.
This means that today, Europeans already enjoy enhanced protection of their personal data in U.S. national security investigation — with or without that adequacy decision. It also means that the new safeguards introduced by the EO are a significant change of circumstances that European data protection authorities must take into account in all pending data transfer investigations, consistent with the Schrems II ruling.