1. Introduction
On July 10, 2023, European Commission ("EC") adopted the EU-US Data Privacy Framework ("DPF") for regulating transatlantic data transfers. US and EU share an extensive trade and investment relationship necessitating transfer of personal data across borders, and this has highlighted the need for a transfer structure that is sustainable and aligned with the General Data Protection Regulation ("GDPR"). DPF is the first significant step after invalidation of EU-US Safe Harbor Privacy Principles ("Safe Harbor Principles") and the EU-US Privacy Shield ("Privacy Shield"), and the immediate trigger can be traced to Irish DPC's decision against Meta Platforms Ireland Limited ("Meta").1
Through this part of the blog, we present a brief insight into the journey so far and in Part II we will provide our point of view on specific aspects of DPF.
2. Timeline
| July 26, 2000 | EC adopts Safe Harbor Principles |
| October 6, 2015 | Court of Justice of the European Union ("CJEU") declares Safe Harbor Principles invalid in Maximillian Schrems v. Data Protection Commissioner ("Schrems I") |
| July 12, 2016 | EC adopts Privacy Shield |
| May 25, 2018 | GDPR enters into force |
| July 16, 2020 | CJEU declares Privacy Shield invalid in Data Protection Commissioner v. Facebook Ireland Limited ("Schrems II") |
| March 25, 2022 | Draft DPF announced by US and EU |
| October 07, 2022 | US President issues Executive Order 14086 establishing a legal framework for transatlantic data transfers ("EO") |
| December 13, 2022 | EC releases draft decision on adequacy of draft DPF |
| July 10, 2023 | EC adopts DPF |
3. Need for DPF
3.1 Failed Safe Harbor Principles and Privacy Shield
In Schrems I and II, CJEU held that the Safe Harbor Principles and Privacy Shield do not adequately safeguard data subject's right to privacy. The decisions were premised on US's overarching surveillance laws, such as Section 702 FISA (Foreign Intelligence Surveillance Amendment Act of 2008)2 and Executive Order 123333 that grant extensive powers to US authorities to breach the data subject's privacy, along with the absence of judicial review.
In Schrems I, CJEU found that the Safe-Harbor Principles – a self-assessment and certification mechanism did not provide adequate protection against US surveillance of EU citizens. CJEU observed that transfer of personal data outside EU can only take place when the other country ensures adequate level of protection, either through its national law or international commitments. US intelligence authorities could interfere with the fundamental rights of EU citizens on grounds of national security, public interest, or law enforcement requirements. Further, there were no effective legal protections against such interference, as well as no possibility of judicial redress under US law. Consequently, it declared the Safe Harbor Principles invalid.
After this, the Privacy Shield was adopted which, was invalidated in Schrems II. The Privacy Shield was more comprehensive than the Safe Harbor Principles. It provided the grounds for data protection, included special protection for sensitive data, human resources data, and required organizations undergoing takeovers and mergers to conduct data audits. The Privacy Shield also introduced an Ombudsman mechanism for resolution of complaints. Despite this, CJEU found that the Privacy Shield still gave US intelligence agencies the authority to access the personal data of EU citizens and thereby failed to provide adequate protection. Further, the Ombudsman mechanism was scrutinized, and found to be insufficiently independent as the members were appointed by and reported directly to the US Secretary of State. Additionally, Ombudsman's decisions were not binding on US intelligence authorities.
3.2 Decision against Meta
The Irish DPC in its decision against Meta, held that transfer of personal data to Meta US exposes EU citizen's data to significant risks considering the extensive surveillance powers of US authorities. Consequently, it prohibited Meta from storing personal data of EU citizens in the US. Meta argued that data transfers were undertaken by relying upon the 2021 standard contractual clauses ("SCC"), as well as a wide range of organizational, technical, and legal measures such as encryption protocols, access controls, impact assessments. The Irish DPC observed that measures by Meta were inadequate, and use of SCCs do not cure the inherent deficiencies in the US laws. It observed that Meta would still be required to grant access to personal data if the US government makes a request under its surveillance laws.
Accordingly, Meta was fined €1.2 billion and was ordered to (a) stop cross-border transfers to US, (b) delete data already sent, and (c) bring its processing activities in compliance with the GDPR. The decision reiterates that US surveillance programs do not set any clear legal limitations relating to accessing personal data.
4. EU law v. US law
There are important cultural differences in the data protection regimes of the EU and US. EU considers privacy as a fundamental right. In alignment with this position, GDPR is a comprehensive data privacy law that safeguards personal data of EU citizens. The rules for GDPR compliance are based on 7 key principles.4 Further, GDPR permits cross border transfer of EU personal data only: (a) if the other jurisdiction ensures adequate level of protection as available under it; or (b) if there are appropriate safeguards5 to data subject's rights and the other jurisdiction allows effective legal remedies in case of breach; or (c) in absence of (a) and (b) above, transfers are undertaken basis consent of data subject; necessity for performance of lawful contract; public interest; exercise of legal rights; protection of vital interests of data subjects where they are incapable of providing consent.
On the other hand, US has traditionally taken a more hands-off approach favoring companies that collect and use personal data. There is neither a legally guaranteed right to privacy in the US, nor a federal data protection law. However, some sectoral regulations, such as, California Consumer Protection Act, Fair Credit Reporting Act, and HIPAA6 provide some form of protection to certain categories of personal data. As a result, US through extensive surveillance laws is able to conduct targeted surveillance of foreign citizens.7 To address this lacuna and in order to give effect to the proposed DPF, US President signed the EO.
5. EO – Key Features and Potential Challenges
Purpose limitation: The EO provides that US intelligence agencies must consider necessity and proportionality before engaging in surveillance activities. Further, it lays down 12 purpose limitations for which intelligence activities may be undertaken. These include threats to national security, terrorism, cyberattacks, global security threats, threats arising due to weapons of mass destruction, protecting against espionage, sabotage, threats to US personnel, allies and partners, transnational criminal threats, and integrity of US elections and political processes. Additionally, it specifies 4 prohibited activities for which intelligence activities cannot be carried out – restriction of free speech, privacy rights, right to free counsel, and discriminating against persons basis their gender, ethnicity, and race.
While the EO seeks to define purpose limitations for which intelligence activities may be undertaken, the objectives seem too broad and ambiguous to have any meaningful impact. For instance, a listed objective is "understanding or assessing the capabilities, intentions, or activities of a foreign government...for protecting the national security of the United States and its allies and partners." This limitation fails to provide any real insight into the level of threat that would trigger the US government to undertake intelligence activities. Additionally, the President has residual powers to add to this list. It is also significant to note that EO does not prohibit bulk collection of personal data, rather it simply states that the determination of whether bulk collection is necessary would be made on a case-by-case basis. This fails to alleviate any concerns regarding abuse of purpose limitation and data minimization.
Enforcement of data subject's right: The EO sets up a two-layer redressal mechanism for adjudication of complaints. The first step involves investigation into the complaint by a Civil Liberties Protection Officer ("CLPO") appointed by the Director of National Intelligence. The CLPO's adjudication report will be classified and the complainant will be provided only a summary order on whether any violation of data rights has been found out. The second layer comprises an appeal mechanism to a Data Protection Review Court ("DPRC"), comprised of three judges appointed by the US Attorney General and Secretary of Commerce. The determination made by the DPRC is classified and only a summary order is provided to the complainant.
The absence of an independent and impartial court was one of the invalidating factors against the Privacy Shield. The EO appears vulnerable to the same criticism, considering that the CLPO and the DPRC judges are appointed by the executive. This raises questions about their ability to provide an effective impartial judicial review, especially against US government. Further, the adjudication by the CLPO and DPRC is opaque, and does not provide any information about the process, the factors and evidence considered, inquiry conducted, and the basis for the findings. Consequently, there is no meaningful right to the complainant to appeal or to take any further steps. Additionally, the entire process as summarized above is marred by extreme secrecy, thereby hampering the complainant's right to have an effective judicial review mechanism.
Amendment of FISA and other laws: The EO does not amend the US surveillance laws. Enforcement of EO without parallel amendment of US surveillance laws leaves the EO open to future challenges on similar grounds as the Safe Harbor Principles and the Privacy Shield. The EO also fails to introduce safeguards that would allow it to prevail over US surveillance laws. Without such amendments it is hard to envision the fulfilment of data privacy safeguards for EU citizens under the GDPR.
6. Conclusion
The DPF marks a significant step towards enabling transatlantic data transfers, and provides much-needed regulatory approval to entities transferring data to the US. However, concerns regarding US surveillance regulations remain open and it is unclear whether cross-border transfers might be marching towards an inevitable impasse. This could render all efforts ineffective with inevitable further shocks from European regulatory and judicial actions in the future.
Footnotes
1. See the adequacy decision here: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en
2. Section 702 FISA allows US government to compel electronic service providers to grant access to any personal data processed
3. Executive Order 12333 allows US intelligence agencies to collect and analyze all data, including personal data, in transit to the US, including from undersea cables for national security purposes
4. The principles are: Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimization; Accuracy; Storage Limitations; Integrity and Confidentiality; and Accountability
5. Under Article 46, these appropriate safeguards include legally binding and enforceable instrument between public authorities, binding corporate rules, standard data protection clauses etc.
6. Health Insurance Portability and Accountability Act
7. Section 702 overview, available at: https://www.dni.gov/files/icotr/Section702-Basics-Infographic.pdf (last accessed at June 23, 2023)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
