EU Court Decision Invalidating Privacy Shield Results in Massive Confusion for U.S. Businesses: Second Addendum

susan
By Susan J. Lutzker
Privacy, Artificial Intelligence and Cybersecurity

This post is an update. Read the original post here, first addendum here and the third addendum here.

On October 7, 2022 President Biden issued an Executive Order strengthening safeguards to U.S. activities involving signals intelligence (that is, intelligence derived from electronic signals and systems). Signals intelligence is at the heart of the controversy surrounding the transfer of personal data of residents of the European Union (EU) to the U.S. According to the Executive Order, the U.S. collects signals intelligence

so that its national security decision makers have access to the timely, accurate, and insightful information necessary to advance the national security interests of the United States and to protect its citizens and the citizens of its allies and partners from harm.

As we have previously discussed, in July 2021 the Court of Justice of the European Union (“CJEU”), in a case known as Schrems II, invalidated the Privacy Shield, the safe harbor mechanism relied on by thousands of businesses to transfer personal data from the EU to the U.S. in a manner compliant with GDPR. Compliance with the Privacy Shield had allowed the U.S. to be listed as a country deemed to have adequate safeguards to allow the free transfer of personal data of EU residents. The CJEU decision was based on findings that (i) national security and law enforcement interests in the U.S. can take precedence over individual privacy rights and that (ii) data subjects do not have an effective legal remedy in such situations.

Following the decision, the U.S. and the EU began working on a replacement to the Privacy Shield, and in March, 2022 it was announced that an agreement in principle had been reached on Privacy Shield 2.0, to be called the Trans-Atlantic Data Privacy Framework. The Executive Order is the next step in this process and is intended to limit data collection to specifically defined situations and to establish a redress mechanism. In announcing the Executive Order, the White House stated that the Executive Order does the following:

  • Adds further safeguards for U.S. signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.
  • Mandates handling requirements for personal information collected through signals intelligence activities and extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance.
  • Requires U.S. Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the E.O. 
  • Creates a multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated pursuant to the E.O., to obtain independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O. ...
  • Calls on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order and to conduct an annual review of the redress process, including to review whether the Intelligence Community has fully complied with determinations made by the CLPO and the DPRC.

The next step is a ratification process by the relevant EU institutions, and, assuming ratification by the European Commission, a new adequacy decision could be issued in early 2023. Separate arrangements will need to be negotiated with the UK and with Switzerland.

Not everyone believes that the mandates of the Executive Order — pointing in particular to potential disagreements as to the meaning of key terms, the establishment of a court within the executive branch and the possible lack of longevity of an executive order as distinguished from legislation — will satisfy GDPR, and one can envision a Schrems III in the near future. We will continue to monitor developments as businesses await an end to the uncertainty that they hope a new adequacy decision will bring.