U.S. includes surveillance concessions in new transatlantic data flow framework

The executive order, released Friday, is the tangible result of an agreement in principle announced in March between the United States and the European Union aimed at providing a workable, legally resilient framework that will allow companies to continue moving and storing the personal data of EU-based citizens to American-based servers without running into legal issues under the General Data Protection Regulation (GDPR).

The executive order stated U.S. intelligence activities would be limited to the pursuit of national security objectives, and that the privacy rights and civil liberties of all citizens, not just U.S. citizens, would be taken into consideration.

Caitlin Fennessy, vice president and chief knowledge officer at the International Association of Privacy Professionals, said the framework narrows the scope of data U.S. intelligence can request to review to what is necessary and proportional—two restrictions the United States had previously fought to keep out of any framework. The Court of Justice of the European Union (CJEU), in striking down the previous data privacy agreement in 2020, had sought “reasonable” protections for the privacy of the bloc’s citizens, she said.

The executive order also establishes two methods of redress for complaints of data privacy violations by U.S. intelligence.

The first method involves a review of any complaints by a civil liberties protection officer (CLPO) at the Office of the Director of National Intelligence. Any decision by the CLPO would be binding on the U.S. intelligence community.

The second layer is a newly created Data Protection Review Court, established within the Office of the U.S. Attorney General, to provide “independent and binding review of the CLPO’s decisions,” according to a White House fact sheet. The new court’s judges will be appointed from outside the U.S. government and enjoy protections against removal by the executive branch.

Attorney General Merrick Garland signed the new court into existence Friday.

“We do expect this framework will be tested, scrutinized, and challenged in court fairly quickly. The fact it took this long to develop is a positive sign. They were aiming to create a durable framework that can be built upon.”

Caitlin Fennessy, Vice President and Chief Knowledge Officer, International Association of Privacy Professionals

In July 2020, the CJEU struck down the Privacy Shield, which U.S. companies had depended on since 2016 to protect the personal data of Europeans when transferred across the Atlantic for commercial use. A previous agreement, Safe Harbor, was struck down by the same court in 2015.

The new data privacy framework “will restore an important legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union raised in striking down the prior EU-U.S. Privacy Shield framework as a valid data transfer mechanism under EU law,” the White House said in its fact sheet.

The European Commission expressed its support for Biden’s executive order, outlining in a Q&A how the framework will address the legal issues the CJEU had cited when it struck down the Privacy Shield (a ruling referred to as Schrems II).

“The objective of the commission in these negotiations has been to address the concerns raised by the Court of Justice of the EU in the Schrems II judgment and provide a durable and reliable legal basis for transatlantic data flows,” the Q&A said. “This is reflected in the safeguards included in the executive order, regarding both the substantive limitation on U.S. national security authorities’ access to data (necessity and proportionality) and the establishment of the new redress mechanism.”

There is optimism among the U.S. business community the new framework will do what it promises, said Aaron Simpson, partner at law firm Hunton Andrews Kurth.

“At this point, while the executive order is certainly a significant development, it doesn’t itself create a path to lawful data exports from Europe. What it does do is create optimism the European Commission will come up with an adequacy decision for data transfers from the EU to the U.S.,” he said. “The hope is certainly an adequacy decision premised on this executive order will provide a more durable, long-term solution for these data flows.”

There are still several steps to be taken by both sides for the framework to be implemented in full, which likely won’t occur until sometime early next year, said Ezra Church, partner with law firm Morgan Lewis.

“From the EU authorities’ perspective, the devil may be in the details here, since much of the order involves directions to [the Department of Justice], the Office of the Director of National Intelligence, and others within the U.S. government to set up various and multilayered processes to limit surveillance and provide review and redress for the claims of individuals,” Church said. “Those things will take time to implement.”

Not everyone shares in the optimism the new framework will withstand legal scrutiny.

Privacy advocate Max Schrems, whose legal challenges ultimately led to the toppling of the Privacy Shield and Safe Harbor, is still skeptical.

A blog post by the European Center for Digital Rights, where Schrems is honorary chairman, was entitled, “New U.S. executive order unlikely to satisfy EU law.”

Bulk surveillance by U.S. intelligence will likely continue even under the new framework, the blog post argued, while the newly created Data Protection Review Court is not a “real” court.

“At first sight, it seems that the core issues were not solved, and it will be back to the CJEU sooner or later,” wrote Schrems.

Fennessy said the framework might eventually remove much of the legal uncertainty around the issue of transatlantic data flows. Ultimately, the CJEU might be forced to rule on its legal standing for a third time.

“We do expect this framework will be tested, scrutinized, and challenged in court fairly quickly,” she said. “The fact it took this long to develop is a positive sign. They were aiming to create a durable framework that can be built upon.”