In a string of executive actions unveiled on October 7, 2022, the U.S. government took steps to implement the EU-U.S. Data Privacy Framework (DPF), the third attempt to secure trans-Atlantic data flows after the European Court of Justice’s (ECJ) rejection of prior attempts in the Schrems I and Schrems II decisions. In an effort to address the ECJ’s concerns over U.S. surveillance law, U.S. President Joe Biden signed an executive order (EO) and U.S. Attorney General Merrick Garland executed new DOJ regulations reforming how U.S. intelligence agencies collect and use personal data. Following these actions, U.S. Secretary of Commerce Gina Raimondo announced the development of new commercial principles to which companies will need to self-certify to participate in the DPF.
Despite all of this, like its predecessor, the DPF is likely to face a legal challenge by privacy advocates, and its long-term prospects are uncertain. Still, the importance of EU-U.S. data transfers cannot be overstated in today’s global economy. Many companies will find it worthwhile to certify to the DPF to streamline their own operations and to assure customers, partners and regulators that they are taking all available measures to protect cross-border data flows.
WHAT ARE THE NEW SURVEILLANCE REFORMS?
The new EO is designed to address the ECJ’s concerns over the breadth of U.S. surveillance authorities. The EO imposes new limits on the collection and use of personal data by U.S. intelligence agencies. All such intelligence programs must:
Be conducted “in pursuit of” one of twelve new “legitimate objectives,” including, for example, protecting against terrorism, foreign military, transnational criminal and cybersecurity threats, and related national security objectives;
Take civil liberties into account, as well as any available “less intrusive” means, in pursuing the documented objective(s);
Not be for “the purpose” of one of four “prohibited objectives,” including suppressing privacy or freedom of expression;
Adhere to additional, narrower security objectives in the case of “bulk collection”; and
Be subject to additional new data minimization, sharing and retention limits.
Second, the EO creates a new “redress” mechanism by authorizing and directing the Attorney General to establish a Data Protection Review Court (DPRC). An Article II body, the DPRC will be empowered to issue decisions on alleged violations of U.S. law. The DPRC will review complaints through a complex process requiring the designation of “qualifying” foreign governments that can transmit complaints on behalf of complainants. The DPRC’s decisions will be binding on U.S. intelligence agencies, which will be required to implement “appropriate remediation.”
THRICE IN A LIFETIME: WILL THE DPF SURVIVE SCHREMS III?
The new EO represents a clear step forward from the Privacy Shield Framework. The surveillance purpose limitations directly address the ECJ’s concerns around necessity and proportionality in Schrems II, and the redress mechanism is designed to allow independent oversight and correct the asserted deficiencies the ECJ found with the Privacy Shield Framework’s Ombudsperson.
However, critics of the DPF will likely argue that these reforms do not go far enough. But this time the devil is even more in the details than previously. Indeed, Mr. Schrems has already expressed his view that the DPF is insufficient. His statements raise the specter of a likely Schrems III case challenging the DPF after the framework enters into force in the European Union. Privacy professionals should prepare for yet another extended court battle over the scope and proportionality of U.S. surveillance to play out over the coming years because the following remains true even after the recent changes by the U.S. government:
The new surveillance purpose limitations still retain broad “legitimate objectives,” potentially creating inconsistency with EU standards of “necessity and proportionality,” which require frequent reassessments of the level of existing threats.
Surveillance programs under FISA 702 will continue to be conducted without individualized judicial approval (which likely will be an issue in subsequent ECJ reviews) and will not qualify as “bulk collection” under the EO.
The DPRC’s requirement to grant “appropriate deference to any relevant determinations made by national security officials” may limit the scope of its review over purpose determinations made by intelligence officials.
Complainants to the DPRC will not be informed of the disposition of their cases or what “redress” was performed and may have little incentive to bring complaints, which may conflict with the ECJ’s prior rulings requiring that data subjects’ rights be enforceable.
WHAT DOES IT ALL MEAN FOR COMPANIES?
Despite the DPF’s uncertain future, companies should take note of these developments. The DPF has immediate practical value for companies transferring data to the United States pursuant to “transfer impact assessments,” which evaluate the risks of specific data transfers under local law. Many of the provisions of the EO can be used to support these assessments on the grounds that intervening changes to U.S. law change the Schrems II analysis.
Finally, once the DPF enters into full force, many companies will find value in signing on to the new DPF even as court challenges proceed. The framework will provide an extra layer of protection for data transfers at a time when these activities pose complex legal challenges for many businesses. So, while questions remain as to whether these most recent actions by the United States will suffice, it is unquestionable that at least for some period of time, they will help companies address the current challenges of EU-U.S. personal data transfers.