There has been a great deal of legal uncertainty and complexity surrounding the transfer of personal data from the European Union (EU) to the United States (U.S.) after the Court of Justice of the European Union (CJEU) invalidated the so-called EU-U.S. Privacy Shield in the case of Schrems II in July 2020. In March 2022, the EU and the U.S. finally reached an agreement in principle for a new data privacy framework. In October, U.S President Biden followed through on his commitment by signing an Executive Order to pave the way for the new transatlantic framework. As of December 2022, the European Commission is reportedly days away from publishing its draft adequacy decision. However, uncertainty will likely remain for some time as Mr Schrems has already voiced his dissatisfaction with the planned framework.
Much of the work surrounding the transfer of personal data between the EU and the U.S. is linked to the European Commission, which, as a reminder, is the politically independent executive branch of the EU and consists of one member from each of the 27 EU Member States. On 2 July 2016, the European Commission enacted a so-called adequacy decision in line with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (“EU GDPR”). The adequacy decision effectively allowed for the free transfer of personal data from the EU to U.S. companies certified under the so-called EU-U.S. Privacy Shield Framework. The framework was established jointly by the U.S. Department of Commerce and the European Commission to serve as a mechanism for complying with data protection regulations.
However, in the judgment of the Court of Justice of the European Union (CJEU) of 16 July 2020, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [1], the CJEU invalidated the EU-U.S. Privacy Shield as a legitimate transfer mechanism between the EU/EEA and the U.S. Mr Schrems had brought a complaint in 2013 concerning Facebook Ireland transferring his personal data to Facebook Inc. in the U.S. In its judgment, the CJEU raised concerns about the indiscriminate access by U.S. intelligence authorities to EU citizens’ data included in electronic communications. The CJEU invalidated the previous data-sharing provisions – decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. Further, it confirmed Decision 2010/87 on the so-called Standard Contractual Clauses (SCC) and added that they should be viewed as a baseline.
The Schrems II ruling has resulted in a period of legal uncertainty concerning data transfer mechanisms between the EU and the U.S. Detailed negotiations were pursued for more than a year to resolve the situation. In March 2022, Ursula van der Leyen, President of the European Commission, and U.S. President Joe Biden finally announced their agreement in principle for a new Trans-Atlantic Data Privacy Framework governing EU-U.S. data transfers. Under the framework, the U.S. committed to translating the in-principle understanding into U.S. law by enacting an Executive Order. The Executive Order would then form the basis for a draft adequacy decision by the European Commission to put in place the new framework.
An “adequacy decision” is a way for the EU to determine whether a non-EU country has adequate data protection under article 45 of the EU GDPR. The steps required for enacting EU adequacy decisions include the following:
a proposal from the European Commission
an opinion of the European Data Protection Board
an approval from representatives of EU countries
the adoption of the decision by the European Commission
On 7 October 2022, U.S. President Biden signed the anticipated Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.). The purpose is to fulfil the commitment given to the EU under the European Union-U.S. Data Privacy Framework and address the concerns raised by the CJEU. The executive order outlines specific steps the U.S. will take to follow through on the in-principle agreement reached in March.
The Executive Order adds protections for American signal intelligence operations. Those protections include requirements that signal intelligence operations only be carried out in support of clearly defined national security goals, that they respect the rights to privacy and civil liberties of all individuals, regardless of nationality or residency, and only when necessary – and proportionate – to advance a prioritised intelligence objective.
Furthermore, the order introduces requirements for handling personal data collected through signal intelligence activities and widens the scope of responsibilities of “legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance.” Entities in the U.S. Intelligence Community will be required to update their policies and procedures to include the new safeguards in the executive order.
There will be a new “multi-layer mechanism for individuals from qualifying states and regional economic integration organisations/…/ to obtain [an] independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the [executive order].”
Lastly, the Privacy and Civil Liberties Oversight Board will review the policies and procedures of the Intelligence Community for compliance with the requirements laid out in the Executive Order and review the redress process annually.
After signing the Executive Order, the European Commission began drafting its adequacy decision on EU-U.S. data transfers. Once the draft is ready, an adoption process will follow, as outlined above. The process was initially expected to take around six months from the time of the Executive Order. That would have meant that the adequacy decision would be in place by April 2023. However, on 7 December 2022, Politico Pro reported that the preliminary decision might be published as early as 12 December, citing two unnamed individuals briefed on the announcement.
Until the adequacy decision has been made, there are still ways in which companies may legitimately transfer data from the EU to the U.S. In June 2021, the European Commission adopted two sets of standard contractual clauses that reflect new EU GDPR requirements and take into account the CJEU judgment in Schrems II:
Standard contractual clauses for controllers and processors in the EU/EEA; and
Standard contractual clauses for international transfers governing the transfer of personal data to third parties.
The European Commission may be in the advanced stages of publishing a new adequacy decision. However, Mr. Schrems reportedly voiced concerns over the new framework at the IAPP Europe Data Protection Congress held in Brussels in October. He appears to be planning to seek injunctive relief and have the CJEU fast-track his challenge, which could pave the way for a “Schrems III” case. The aim would be to freeze the European Commission’s decision and replace the proposed framework with another agreement with more legal certainty.
At first sight, it may appear as an issue of interest mainly to companies in the EU and the U.S. However, it should be remembered that the EU GDPR has extraterritorial effects. Even organisations without a physical presence in the EU may be required to comply with the regulations. Furthermore, the developments will likely affect rules in other jurisdictions influenced by the EU GDPR, such as the Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC), to mention two examples.
[1] C-311/18, ECLI:EU:C:2020:559.