U.S.-EU Create New Framework to Address CJEU Concerns About U.S. Surveillance

After several years of negotiation following the invalidation of the Privacy Shield by the European Court of Justice (CJEU), on October 7, the president signed an Executive Order, and the attorney general issued regulations, implementing the agreement between the U.S. and the EU announced earlier this year to replace the Privacy Shield framework. The European Commission (EC) has issued a statement that these actions will “address the concerns raised by the Court of Justice of the European Union in the Schrems II decision.” The EC is expected to make this framework the basis of an adequacy finding that the U.S. provides privacy protections that are essentially equivalent to European law.

This is welcome news, as companies have been caught in a very precarious position between the U.S. and the EU regarding access to personal information relating to Europeans by the U.S. government. These new rules should provide more certainty and clarity for U.S. and EU organizations that share personal information between the EU and the U.S., for at least the foreseeable future.

The Executive Order largely builds upon and expands the existing limitations on surveillance embodied in Presidential Policy Directive 28 (PPD-28), issued during the Obama administration. The attorney general’s regulations implement certain of the provisions of the Executive Order. Notable changes are:

• For the first time the U.S. agrees that its surveillance activities will be “necessary” and “proportionate.” While the U.S. has always taken the position that its activities met that test, which is foundational to EU privacy law, it has never been willing to use the terms in agreements with the EU. The regulations specifically state that the Executive Order shall be interpreted “exclusively in light of United States law,” but the Executive Order sets out principles guiding surveillance, which track the principles used by European courts in judging the necessity and proportionality of surveillance.
• The Executive Order specifies that surveillance may be conducted “only in pursuit of” enumerated objectives, such as countering terrorism, understanding the intentions of foreign governments, or protecting against foreign military capabilities. All of the enumerated purposes would likely be viewed as appropriate objectives of foreign intelligence. Notably, although the language of current law would permit surveillance of foreign persons as an appropriate basis for intelligence activities—a provision that has attracted criticism abroad—the new Executive Order does not allow surveillance just because the target is a foreign person. The U.S. has thus agreed to limitations on the scope of its surveillance activities to meet European concerns.
• The Executive Order also sets forth rules for handling and storage of data obtained through surveillance, limitations on bulk collection, and provisions for oversight of surveillance activities, all to help ensure that personal data is adequately protected.
• Most significantly, the Executive Order and the regulations establish an administrative procedure for responding to complaints about U.S. surveillance. A complaint will first be reviewed by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence, who will have the power to issue binding corrective orders to intelligence agencies, if necessary. A complainant can appeal to a new court created within the Department of Justice, whose members will be appointed by the attorney general and can be removed only for cause. This court will appoint a special advocate to represent the interests of the complainant, and will have the power to issue binding orders. A complainant will not have to meet the U.S. constitutional requirement of standing, which, by requiring complainants to establish that they have been subject to surveillance before permitting them to bring suit, has effectively precluded resort by individuals to U.S. courts.
  
  The redress mechanism is to be established within 60 days but will apply only to countries or regional organizations designated by the attorney general upon a finding that the country or regional organization (a) has adequate protections for information about U.S. persons and (b) permits the transfer of personal information for commercial purposes to the U.S. The attorney general is expected to quickly make such a finding with respect to the EU.

These provisions attempt to deal with the concerns raised in the CJEU’s Schrems II opinion about the scope of U.S. surveillance and the availability of redress from an independent tribunal, and, as noted above, the European Commission believes that they do so.

For companies that have previously relied upon the Privacy Shield as a basis for data transfers, the existing Privacy Shield framework will be maintained, although it is renamed the EU-U.S. Data Privacy Protection Framework. The Department of Commerce has indicated that companies that have certified that they meet the Privacy Shield standards will likely not have to modify their existing privacy policies other than to update any references to “Privacy Shield” to refer to the new framework.

However, the new Framework will not be effective to permit data transfers until an adequacy finding has been made by the European Commission, and, while we anticipate that happening, it will likely take several months as the European Commission will have to go through the required legal process which includes obtaining an opinion from the European Data Protection Board and a review by the European Parliament. It is unclear what position European Data Protection Authorities will take in the interim.

On the other hand, the Executive Order and the regulations issued by the U.S. Department of Justice and the European Commission’s endorsement of them should facilitate data transfers pursuant to other mechanisms, such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). Because the CJEU found that U.S. privacy protections were not essentially equivalent to those in the EU, companies relying on SCCs or BCRs have had to make detailed Transfer Impact Assessments (TIAs) to establish whether, in their particular cases, the concerns about U.S. surveillance identified by the CJEU were or could be addressed by supplementary measures. These TIAs are often lengthy and time-consuming. As a result of these steps by the U.S. government, companies should be able to rely on the new Framework, and the EC’s acceptance of them, as by themselves establishing essential equivalency, greatly simplifying the analysis required for a TIA.