Since July 2020, when the Court of Justice of the European Union (CJEU) upheld the challenge to the Privacy Shield brought by Max Schrems, declaring the adequacy mechanism for data transfers to certain US entities invalid, data exporters have been obliged to run an assault course in an effort to maintain GDPR and UK GDPR-compliant restricted international data transfers from the EEA and the UK to the United States (USA), being forced to undertake International Data Transfer Risk Assessments (IDTRAs) before implementing additional safeguards, or otherwise abandoning personal data transfers or running the risk of regulatory or legal action.  

Multiple adverse decisions have subsequently been adopted by data protection regulators across the EEA to the effect that data transfers have failed to comply with Article 46, most notably in relation to the use of Google Analytics.

In an effort to resolve this lacuna, in March of this year, Biden and EC President Ursula von der Leyen announced that they had reached an agreement in principle for a new trans-atlantic data privacy framework to replace the defunct Privacy Shield for EEA-US personal data transfers.

In a highly anticipated announcement, President Biden has today (Friday 07 October 2022) waved his Privacy Magic Wand and issued an ‘Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities’, which is intended to remedy the shortcomings identified in the CJEU ruling and provide the foundation for the issue of a new EC adequacy decision.

While any adequacy decision issued by the European Commission will not assist UK-based data exporters to the USA, the Secretary of State for Digital, Culture, Media and Sport, Michelle Donelan MP, and the US Secretary of Commerce, Gina Raimondo, also today issued a joint statement on a ‘New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy’. In light of President Biden’s Executive Order, the UK indicated that it “intends to work expediently to conclude its assessment, with the aim of issuing an adequacy decision that will restore a stable and reliable mechanism for UK-US data flows”. Such a decision would be made under regulations issued under s74A Data Protection Act 2018. The US would seek to designate the UK as a qualifying state under the Executive Order. No specific timeline was given for achieving these aims.

But the million dollar question is whether the new measures detailed in the Executive Order will be sufficient to enable the regime to survive a legal challenge, even if they provide temporary (albeit welcome) respite to data exporters in the interim.

The CJEU identified a series of deficiencies in the Privacy Shield framework, which Max Schrems has described as merely an attempt to put lipstick on the pig of the previous Safe Harbor regime, in particular that:

• national law did not provide sufficient safeguards for interferences with the data protection rights of foreign nationals authorised by domestic legislation under either Section 702 of the FISA or E.O. 12333;

• judicial protection for the right of data subjects was ineffective since the Privacy Shield Ombudsperson could not be regarded as a tribunal; and,

• surveillance programmes based on Section 702 of the FISA did not comply with the principles of necessity and proportionality.

The specific measures proposed in the Executive Order to remedy these deficiencies include:

• the identification of the objectives for which signals intelligence activities may be conducted, albeit that these may be amended by the President and will not be required to be publicly disclosed if deemed to pose a risk to the security of the US;

• a range of activities for which signals intelligence activities may not be deployed are identified;

• signals intelligence activities shall be conducted only following a determination that the activities are necessary to advance a validated intelligence priority, but need not meet the threshold of strict necessity;

• signals intelligence activities shall be conducted only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized, balancing the impact on the rights of all individuals regardless of citizenship or residency;

• the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (CLPO) will assess whether the signals intelligence collection activities are undertaken to advance legitimate objectives, although there is no power of veto;

• bulk collection will only be permitted where the information necessary to advance a validated intelligence priority cannot reasonably be obtained by targeted collection, but data minimization measures should be deployed;

• imposes restrictions on the dissemination and handling of information gathered through signals intelligence activities;

• policies and procedures pursuant to Presidential Policy Directive 28 of January 17, 2014 (Signals Intelligence Activities) (PPD-28) shall be published in so far as possible;

• the Privacy and Civil Liberties Oversight Board shall review the policies and procedures and any recommendations shall be addressed;

• each element of the intelligence community collecting signals intelligence shall have appropriate officials to ensure oversight and compliance, including an Inspector General, a Privacy and Civil Liberties Officer, and an officer or officers in a designated compliance role with the authority to conduct oversight of and ensure compliance with applicable United States law;

• establishment of a complaints process for qualifying complaints submitted by an appropriate public authority in a qualifying state for investigation and remediation by the CLPO, which shall be binding unless subject to review;

• the establishment of a Data Protection Review Court to review decisions of the CLPO at the request of either a complainant or intelligence agency, where the complainant will be represented by a special advocate, and the court shall be guided by decisions of the US Supreme Court;

• the outcome of any consideration by the CLPO or the Data Protection Review Court shall be conveyed to the complainant in the limited form of either confirming that no covered violations were identified or that a determination requiring remediation was issued;

• the establishment of a mechanism to allow for complainants to be alerted, through the appropriate public authority in the qualifying state, in the event that information pertaining to the determination of the complaint has been de-classified;

• annual reviews by the PCLOB of the CLPO and Data Protection Review Court process, with the unclassified version of the report being published;

• the conditions and process for designating qualifying states; and,

• the definition of qualifying complaints.

The European Commission has indicated that it considers that the provisions in the Executive Order provide “a durable and reliable legal basis for transatlantic data flows” that will be capable of withstanding legal challenge and will now prepare a draft adequacy decision, which will be subject to review and comment by the European Data Protection Board, before being finalised and published, which is likely to be during the course of 2023.

Max Schrems has already issued an initial response to the Executive Order through noyb, indicating that it is “unlikely to satisfy EU law”, in particular on account of the differing concept of necessity adopted in the Executive Order, and because it contends that the Data Protection Review Court will not meet the requirements for valid judicial redress.

Since the Executive Order is universal, the process in the UK will involve the Secretary of State making a determination as to adequacy having regard to the factors set out at Article 45(2) UK GDPR and s.74A(4) Data Protection Act 2018, which are identical to the factors to be considered by the European Commission at Article 45(2) GDPR. It would be feasible that the UK could determine the USA’s adequacy status more swiftly, by laying regulations before Parliament, which are subject to the negative resolution procedure, and would therefore become law unless rejected within 40 sitting days.

In the meantime, data exporters in the UK and EEA must continue to ensure that they have assessed the risk posed by international data transfers and implemented additional safeguards to secure personal data, with careful consideration given to whether personal data transfers to the USA are capable of compliance.