Member Article

President Biden’s Executive Order on US data transfers came at the end of last week, signalling a “dramatic step” for EU-US data relations, with knock on consequences for the UK expected. The superlatives can’t get strong enough for US data lawyers commenting on its impact.

The problem

Under the EU and UK GDPR an international transfer requires “adequate safeguards” to be in place.

The EU has designated countries outside the EU as already having “adequate” rules to protect data rights, but it does not currently recognise the US as providing adequate safeguards for data transfer. Previous schemes such as the Privacy Shield have failed following challenge by data campaigner Max Schrems.

Intelligence concerns

A key concern is that the US government - in particular, its intelligence services - might access and use EU individuals’ personal data, contrary to the EU Charter of Fundamental Rights, with no available remedy for a data subject wanting to peek behind the curtain.

What have companies been doing?

The main safeguards used globally are the EU “Standard Contractual Clauses” (SCCs”). However, clauses in a contract that is put away in a drawer cannot of themselves maintain the standard of protection for personal data in a chain of processing and sharing internationally.

The SCCs require analysis of what is actually happening in the chain of international locations, and a transfer risk assessment of the locations involved. Practically, this can be difficult when surveillance use in the US can be covert.

This has created uncertainty and fears of localisation in future.

The new agreement

On October 7, following a declaration of intent earlier in the year, and plenty of legal “heavy lifting”, US President Biden issued his Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. These carry the force of law and are of immediate effect.

Necessary and proportionate

The central themes are two new tests: whether intelligence service activities are necessary and proportionate to advance a validated intelligence priority; and new rights of redress for anyone wanting to understand whether their data is being used appropriately.

The tests also set out clear examples of legitimate and prohibited activities for intelligence services to consider.

New Data Protection Review Court

The lack of a competent US court for an individual in the EU to complain to has been a major bone of contention. Now, anyone can make a referral about their data to an office of the Director of National Intelligence who will review claims. If data subjects are not happy, they can apply to a new Data Protection Review Court for further review.

This court will have three non-political judges. The Attorney General will not be able to interfere in the judges’ exercise of their legal authority and the judges are protected from dismissal. This is a major shift in position for the US, where all previous schemes have been led by officers with a political mandate and have not survived scrutiny by the European court, the ECJ.

Incredible bulk

“Bulk surveillance” is always a hot topic for campaigners and lawyers alike. This means intercepting communications on a big scale – and hoping you can weed out information which doesn’t relate to anyone you have a legitimate interest in monitoring.

The Order contains some concrete rules about how this can be done and requires that intelligence services take into account the impact on the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside.

Why an Executive Order?

The reasoning behind this is part of the cleverness of the solution: since it allows a way for anyone, not just an “injured party”, to gain the protections of the system.

And as their ultimate boss, the view is that the President can move minds in the intelligence services in a special way.

There have been concerns that the Order may be overturned by a future president. However, it’s likely that the existence of this framework will be condition of any future EU adequacy decision. The hope is that the stakes are now too high for a future climbdown.

So what’s next?

The European Commission has been heavily involved in negotiation and wants this to succeed. In fact their published response confirms that “the concerns raised by Schrems II [are…] reflected in the safeguards”. So ratification is hoped for by March 2023, and the Commission has already said it is drafting the adequacy decision which will be voted on by member states.

In the meantime, although the adequacy decision isn’t there yet, companies can breathe easier about the validity of their risk assessments for new transfers of EU data to the US – both to other companies and to government bodies.

Adequacy decisions are reviewed typically every four years once granted which may also deter future political interference with the new scheme.
Belt and braces

In the US, drafters will be updating the Privacy Shield to reflect the new arrangements and bring it in line with GDPR.

It looks as if the final position will be an adequacy decision plus Privacy Shield 2.0. So US data importing companies will have to be certified by the US Department of Commerce under the new framework in order to take advantage of the adequacy decision.

And will this accelerate a US federal privacy law? Time will tell.

Turning the tables

The US has its own concerns about sending data to countries where US citizens have no rights of redress or with a chequered history on human rights. The Order provides a framework for the US to assess and challenge surveillance in other countries.

And this leads to another interesting wrinkle. The EU is a federation of member states, which has delegated decisions about national security to its national governments. So when it comes to its own data, the US may have a tougher time getting the EU to return the favour.

And for the UK?

It’s easy to forget in the excitement that the UK is not directly affected by this historic decision. However, it will be swept along in its path. It has already accelerated plans for a UK-US adequacy finding under UK GDPR, and it certainly removes a perceived threat to EU-UK adequacy coming from concerns about a “rogue” UK-US accord. And could this be a real step towards the holy grail – a global transfer framework?

Safe passage

Max Schrems has already indicated that his view remains firmly that the new scheme allows “continued spying on Europeans."

The organisation he chairs, NOYB, have already said they will challenge the new scheme. The weak spot will be the exact nature of the new court, and whether the ECJ takes a harder line than the Commission.

What to think about now:

• Your contracts are likely to need updating, with key deadlines passing recently and upcoming by 27 December this year - get some advice!
• Keep calm and carry on. EU data transfers to the US:
  • still usually need SCCs, a transfer risk assessment and possibly operational, security and contractual changes
  • are likely to have a more secure framework for transfer by mid-next year
• US suppliers may be signing up to Privacy Shield 2.0 when it comes
• You still need equivalent safeguards under UK GDPR for UK-US data flows
• It could be time to start thinking about BCRs as a golden standard alternative to SCCs and strategic global procurement plans

 

Link to article