In an important development for international privacy law, on December 13, 2022, the European Commission (the “EC”) published a draft adequacy decision in which the EC concluded that the new framework for transatlantic transfers of personal information proposed on October 7, 2022 by the US in Executive Order 14086 (the “Executive Order”) offers an adequate level of protection for EU personal data as regards “certified organisations”. This draft decision is an important step in the normalization of data flows between the US and the EU after two consecutive adverse decisions by the Court of Justice of the European Union (the “CJEU”) in Schrems I (2015) and Schrems II (2020), both of which invalidated previous frameworks, respectively the US-EU Safe Harbor Framework and the EU-US Privacy Shield (see our previous blogs: here,here and here).
If officially adopted, this draft decision would be beneficial to Canadian businesses with ties in the EU and operating in the US that obtain certification under the new framework.  In the context of the General Data Protection Regulation (the “GDPR”), relying on an adequacy decision to transfer personal data outside the European Economic Area is advantageous as it allows the transfer to occur without further authorisation. By contrast, transfers to jurisdictions that do not benefit from an adequacy decision require additional safeguards including entering into standard contractual clauses (the “SCCs”) pre-approved by the EC or adopting binding non-contractual rules applicable within a corporate group. For those interested in learning more about how this regime contrasts with the new provisions of Quebec’s Law 25 (formerly Bill 64) on data transfers outside of the province, we recommend our blog here.
Nevertheless, similar to what was required under the EU-US Privacy Shield, in order to benefit from the EC adequacy decision (if adopted), companies will need to be certified by the US Department of Commerce, otherwise an alternative basis for lawful transfer (such as reliance on the SCCs) will remain necessary.
The publication of the draft adequacy decision follows a joint announcement made in March 2022 by the U.S. government and the EC stating their commitment to implement a new EU-US Data Privacy Framework (the “EU-US DPF”).
According to the White House, the EU-US DPF is the product of negotiations between the US and the EU that began shortly after Schrems II to create a new framework to address the CJEU’s concerns. Born in the wake of the Edward Snowden revelations of mass data surveillance by the National Security Agency (NSA)first made public by The Guardian, The Washington Post and other publications in 2013 (see here), those concerns relate to the lack of protection afforded to personal data transferred to the US against access by US public authorities, such as the NSA.
In response, the EU-US DPF increases oversight of intelligence activities, adds new independent redress mechanisms available to EU individuals and reinforces privacy and civil liberties safeguards governing intelligence activities.
Two steps remain before the final adoption of this adequacy decision. First, upon its review of the decision, the European Data Protection Board will publish a non-binding opinion. Second, the decision must be approved by a select committee of representatives from EU member States. Once those steps are completed, the EC may adopt the adequacy decision, which will take effect instantly. The European Parliament could also exercise its right of scrutiny over this adequacy decision. According to European Commissioner Justice Didier Reynders, final approval is expected to take place by July 2023.
The Executive Order
New Criteria for Signals Intelligence Collection
Under the EU-US DPF, as set out in the Executive Order, US intelligence agencies will only be authorized to conduct surveillance of foreign communications and information systems (known as “signals intelligence” in US intelligence circles) when pursuing a “defined national security objective” and when necessary “to advance a validated intelligence priority”, as determined by a prior reasonable assessment (s. 2(a)(ii)(A)). The surveillance must also be proportionate (s. 2(a)(ii)(B)) to the intelligence priority and its implementation must consider the impacts on the privacy and civil liberties of the person concerned, regardless of nationality (s. 2(a)(ii)). In addition, the Executive Order reinforces the powers of legal and compliance officials. It also includes a detailed list of legitimate objectives of signal intelligence, including assessing capabilities or intention of foreign actors (government, military, political organizations, etc.) to protect national security (s. 2(b)(i)(A)(1)) or terrorist organizations that pose current or potential threats to national security (s. 2(b)(i)(A)(2)), and conducting counter-intelligence (s 2(b)(i)(A)(6)).
The Executive Order also prohibits certain objectives of signals intelligence: (1) political or free speech suppression, (2) suppression of legitimate privacy interests, (3) suppression of the right to legal counsel, (4) creating disadvantages to individuals based on prohibited grounds (ethnicity, race, gender, etc.) and (5) collecting private commercial information or trade secrets to give a commercial advantage to the U.S. or U.S. companies. By contrast, such collection for national security reasons is permitted (s. 2(b)(ii)). Significantly, the Executive Order does not prohibit bulk collection of signals intelligence, but rather states that targeted collection is to be prioritized, unless the information sought for a validated intelligence priority can only reasonably be obtained through bulk collection (s. 2(c)(ii)(A)).
The EU-US DPF also includes new procedural protections with the creation of a new redress mechanism to administer complaints made by individuals located in certain foreign states or regional economic integration organizations. The US will create a forum where complaints regarding the treatment of foreign personal information by US intelligence will be heard. This mechanism will have two layers. First, the Executive Order reinforces the role of Civil Liberties Protections Officers (CLPO), which act as independent advisors to the Office of the Director of National Intelligence, and tasks them with conducting initial investigations of valid complaints in light of US laws, including the provisions of the Executive Order (s. 3(a)). Decisions by CLPOs will be binding and CLPOs will be able to order “appropriate remediation” (s. 3(c)(i)(C)) such as terminating unlawful data collection, deleting unlawfully obtained data or recalling intelligence reports including unlawfully obtained data (s. 4(a)).
Second, decisions of the CLPOs will be subject to review by the Data Protection Review Court (DPRC) (s. 3(c)(i)(E)(2)). The DPRC will hear appeals from individual complainants or the intelligence community, but complainants will only be represented by a special advocate selected by the DPRC (s. 3(c)(i)(E)(3)). The DPRC is under the responsibility of the U.S. Attorney General which has already published a regulation outlining the functioning of this court (see here). At least six judges will sit on the court and their decisions will be final and binding. However, according to the Attorney General’s regulation, individual plaintiffs will not be informed of whether they were the object of intelligence activities, but will simply receive a standard notice that confirms that the DPRC has completed its review and whether it has identified a violation or ordered remediation.
This redress mechanism will not be available to all foreign nationals, but to those living in “qualifying states”, a determination that will be made by the US Attorney General in part based on US national interest (s. 3(f)(i)(C)). The Attorney General can revoke this determination at any time, notably if the state concerned does not permit the transfer of personal information for commercial purposes to the U.S. (s. 3(f)(ii)(B)).
Towards Schrems III?
The draft adequacy decision confirms that the EC considers the measures described above to ensure “an adequate level of protection for personal data transferred under the EU-U.S. DPF”. As mentioned above, however, this is not a general adequacy decision, because US companies will need to go through an annual self-certification process with the US Department of Commerce to confirm that they comply with the EU-US DPF principles (the “Principles”) and publicly declare their commitment to adhere to the Principles. In addition, in order to enter the EU-U.S. DPF, an organization must be subject to the investigatory and enforcement powers of the Federal Trade Commission, the U.S. Department of Transportation or another statutory body that will effectively ensure compliance with the Principles.
Max Schrems, the plaintiff between the two CJEU cases that bear his name and who has since become an important privacy advocate, reacted critically to this draft decision. In a press release published by NOYB, a non-profit organization he founded, Mr. Schrems stated: “As the draft decision is based on the known Executive Order, I can’t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again - in flagrant breach of our fundamental rights.” This statement suggests that Mr. Schrems may yet again take the matter up to the CJEU. The third time may not be the charm...