An Updated Privacy Shield at Last?

What Happened

Last Friday, President Biden signed an Executive Order on Enhancing Safeguards for the United States Signals Intelligence Activities (expected to be EO 14086), which directs the U.S. government to take steps consistent with commitments the U.S. has made under the European Union-U.S. Data Privacy Framework announced by President Biden and European Commission President von der Leyen during their meeting in Brussels in March 2022. Since that time, U.S. policymakers have been working with their European colleagues to finalize the details of that agreement, in particular, specifics regarding the additional safeguards and mechanisms that the U.S. would put in place to address the concerns identified by the Court of Justice of the European Union in the Schrems II decision. That ruling invalidated the EU-U.S. Privacy Shield Agreement in July 2020 over concerns about how U.S. authorities might gain access to private European data for national security purposes.

The invalidation of the Privacy Shield framework left many companies in a state of legal limbo, requiring them to pursue more difficult means of achieving compliance with EU data protection laws (such as the implementation of Standard Contractual Clauses) or putting them at risk of legal and regulatory sanction from European authorities.

What does it mean?

By signing this Executive Order, President Biden has put the U.S. on a path to restoring the Privacy Shield agreement. While it will take time for the Government, most notably the Intelligence Community and Department of Justice, to comply with the provisions of the order, and for European authorities to formally issues a decision of “adequacy,” it is expected that Privacy Shield will be restored early next year. However, this is not expected to be the final word on U.S.-EU data transfers and European data protection requirements as privacy advocates in Europe are poised to challenge the updated mechanism with European courts and data protection authorities, claiming that the Privacy Shield framework remains inadequate even with the changes that will be made as a result of the Executive Order. It seems certain that the Court of Justice of the European Union will hear a case challenging the new agreement in late 2023 or 2024.

Why It Matters

The enhanced safeguards contained in the Executive Order include a variety of important changes to how the U.S. Intelligence Community gains access to the private data of EU citizens held or transferred by U.S. companies, including new policies on considering the privacy and civil liberties of the collection target and those who might be caught up in “incidental collect.” However, the most notable changes relate to the creation of a new “redress mechanism” for individuals from the U.S. and European countries who suspect that their personal information has been inappropriately or illegally collected by U.S. intelligence authorities to challenge that collection and seek remedy.

Key elements of the new mechanism include:

1. The ability for the U.S. Attorney General to determine if the EU or a European state is a “qualifying” state/organization under the framework, allowing the U.S. to take into consideration the intelligence collection practices of European countries when determining if the redress mechanism applies to its citizens – a key change given the tendency of some European countries to operate intelligence collection programs outside the bounds of European Data Protection laws.
2. Designation the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) as the government agent responsible for conducting an initial review of any complaints received by nationals from qualifying states or the EU and determine if any of the safeguards of the agreement or applicable U.S. law were violated and, if so, determine an appropriate remediation.
3. Creation of a Data Protection Review Court to provide independent and binding review of the CLPO’s decisions upon the application of the individual or element of the intelligence community. Judges will be appointed from outside the U.S. government, will have relevant privacy and national security experience, will review cases independently without fear of removal as a result of their decisions.

Bottom Line

While the delays in the development of an updated Privacy Shield framework may have been frustrating for industry, it is encouraging to see the Administration issue this Executive Order and for the Intelligence Community and Department of Justice to begin the work of implementing the new safeguards and redress mechanism. While it seems safe to assume that the European Commission will formally approve the updated framework next year, the stability that the updated framework will provide to U.S. and EU business seems likely to be short-lived as new challenges work their way through the courts and data protection authorities. Experts at The Chertoff Group will continue to monitor and share insights on this issue.

Alan Wehler is director of regulatory risk at The Chertoff Group. He helps companies understand and address major technology and security policy issues.