A new EU-US data privacy framework

In July 2020, the Court of Justice of the European Union’s (“CJEU”) Schrems II judgement struck down the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield framework. CJEU’s reasoning for this invalidation was the absence of adequate safeguards and effective redressal mechanisms available to the EU data subjects against US authorities which had resulted in the U.S. authorities having unbridled powers to collect personal data of EU data subjects under the U.S. laws. Prior to this invalidation, this mechanism was relied upon by organisations for personal data transfers from the EU to the U.S.. In the years after the Schrems II judgement, the absence of a legal mechanism created difficulties in the transatlantic personal data transfer.

It is to fill this lacuna that the U.S. President signed an executive order on Enhancing Safeguards for United States Signals Intelligence Activities (“E.O.”) on 7th October 2022, directing the steps that the U.S. will take to implement its commitments under the March 2022 European Union-U.S. Data Privacy Framework (“EU-U.S. DPF”).

The E.O. provides a few safeguards in relation to the U.S. intelligence agencies' access to personal data. It requires that such activities be conducted only (a) in pursuit of defined national security objectives; and (b) when necessary and proportionate to advance a validated intelligence priority. It requires such activities to take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence. It directs the U.S. intelligence agencies to update their policies and procedures to reflect the new privacy and civil liberties safeguards.

To ensure compliance with the restrictions on surveillance activities, the E.O. establishes a two-layer independent redressal mechanism to (a) direct remedial measures; and (b) enhance rigorous and layered oversight of intelligence activities. At the first level, individuals can lodge a complaint with the Civil Liberties Protection Officer (“CLPO”) in the office of the Director of National Intelligence. CLPO will conduct the initial investigation of the qualifying complaints to determine violation of the E.O. safeguards or other applicable US laws. In the event of a violation, CLPO will determine the appropriate remedy and its decision will be binding on the intelligence authorities The E.O. prohibits the Director of National Intelligence from interfering with the CLPO’s review of a qualifying complaint or removing the CLPO for actions taken pursuant to the E.O.

An individual or an element of the intelligence community can apply to the newly established Data Protection Review Court (“DPRC”) for an independent and binding review of the CLPO. Decisions of the DPRC shall be binding. If the DPRC finds that data was collected in violation of the E.O., it can order the deletion of such data. The judges on DPRC will be members chosen from outside the U.S. government, having specific qualifications. Such judges cannot receive instructions from the government and they can be dismissed only on serious grounds such as being convicted of a crime. To facilitate a fair trial and enhance the review, DPRC will select a special advocate with relevant experience who will aid the DPRC by ensuring that the complainant’s grievances are well represented before it. This will ensure that the DPRC is well aware of the facts and the corresponding law.

The E.O. calls on the Privacy and Civil Liberties Oversight Board to (a) review the policies and procedures of intelligence agencies to ensure that they are consistent with the E.O.; and (b) conduct an annual review of the redress process, including to review whether the intelligence agencies have fully complied with determinations made by the CLPO and the DPRC.

Only after the European Commission adopts the final adequacy decision in relation to the U.S. can this framework be used for data flow between the EU and U.S. companies. U.S. companies will be able to join the framework by committing to comply with specified privacy obligations.