EU-US Transfer Framework

European UnionTrans-Atlantic Data Privacy FrameworkUS Data Privacy Legislation
Written By Jason Shoup

On October 7, 2022, President Joe Biden signed an executive order to secure a data transfer agreement between the European Union (EU) and United States (US).

Many industry experts are hopeful that this Agreement “could be the crucial step necessary” to replace the Privacy Shield agreement that was struck down by the Court of Justice of the European Union in August 2020.

As explained in this previous ADCG article, “the decision to invalidate Privacy Shield came from a lawsuit initiated by Austrian lawyer and privacy activist Max Schrems in 2013 (Case C-311/18). In that case, Schrems challenged Facebook Ireland’s reliance on the framework’s Standard Contractual Clauses (SCCs) as a legal justification for transferring personal data to Facebook Inc.’s United States servers. Based on this reliance, the court invalidated the framework, despite upholding the legal validity of SCCs.”

In response, on March 25, 2022, President Biden and EU President Ursula von der Leyen issued a joint statement affirming their intention to advance a Trans-Atlantic Data Privacy Framework, which will “foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020.”

According to the Wall Street Journal, this decision “prompted broad rulings on how companies use technology.” Reportedly, the EU regulators “said companies must stop moving data to the U.S. or using certain American tech providers altogether, citing the lack of protections to prevent potential surveillance.”

According to Mondaq, The new EU-US framework consists of two main objectives, the first being, “substantive safeguards for U.S. signals intelligence activities, requiring the necessary and proportionate collection of intelligence.” What does this mean? Surveillance of EU citizens by the U.S. must be conducted with consideration for “the privacy of all persons regardless of nationality or residency,” grounded in national security, and limited only to instances “necessary to advance validated intelligence priorities in a manner that is proportionate to such priorities.” Legitimate objectives of these activities “include protection against espionage, terrorism, foreign military capabilities, cybersecurity threats and other such purposes” as well as those authorized by the President.

Second, if the intelligence activities are beyond these legitimate bases, the executive order establishes a redress mechanism to address consumer complaints will be established “to address complaints pertaining to data collection.”

This redress mechanism will be subject to review for compliance with United States laws, and subject to remediation by “both the Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence and a new independent Data Protection Review Court, established by the Attorney General.” The decisions of these oversight authorities are subject to challenge before the new Data Protection Review Court established under Biden’s executive order.

Additionally, the executive order requires the “elements of the Intelligence Community”— the Defense Intelligence Agency (DIA), the National Security Agency (NSA), the National Geospatial- Intelligence Agency (NGA), the National Reconnaissance Office (NRO), and intelligence elements of the five DoD services; the Army, Navy, Marine Corps, Air Force, and Space Force—to consult with the Privacy and Civil Liberties Oversight Board (PCLOB), and to update their policies and procedures to reflect newly-required safeguards within one year from now. In response to the order, PCLOB stated they’d plan to  comply.

Importantly, the Executive Order has reportedly  provided the European Commission with a basis to adopt a new adequacy decision—which Mondaq predicts “will take around six months and will lead to a final adequacy decision being published in roughly March 2023.” Until then, The Association of the Internet Industry (Eco)—a European trade association —has urged the European data protection authorities to refrain from issuing fines or prohibiting transfers.

The Wall Street Journal states a draft of the EU-U.S. DPF is expected in the spring of 2023. Upon its release, regulatory and legislative authorities from both sides will scrutinize the agreement. Wojciech Wiewiórowski, the European Data Protection Supervisor stated “regulators will focus in part on whether the new data protection court is independent from government influence” and whether the additional oversight requirements to be placed on their agencies is tolerable. Implementation will require the representatives from the 27 EU countries to sign off on the terms.

In response to the release of the executive order, Max Schrems has expressed doubt about the inefficiencies in the program, in contrast with other activists. According to statements by John Miller—Chief Legal Officer at the Information Technology Industry Council, a Washington-based tech lobby group—and Peter Harrell, Senior Director For International Economics and Competitiveness at the National Security Council—companies are poised to benefit immediately from the increased security and support surrounding these trans-Atlantic data flows.

* * * * * * *

To read this week’s news alerts covering: Montana’s vote on data privacy amendment, privacy professionals weighing in on the Trans-Atlantic Framework, Australia’s move to Increase Data Breach Penalties, and a Virginia senator pushing back against Meta, click here.

This week’s breach report includes Advocate Aurora, Microsoft, Whitworth University and IDealwine. Click here to find out more.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts.

79 | Understanding 5G Cybersecurity Issues

78 | The Nexus Between Privacy, Cybersecurity & National Security

77 | Privacy & Cybersecurity Whistleblowers: A New Trend?

Don’t forget to subscribe!

Jason Shoup
Previous

ADCG’s Update on the EU/US Data Transfer Framework
Next

News Alerts and Breach Report for Week of October 24, 2022