On course for an EU-US adequacy decision?

On 7 October 2022, President Biden issued an Executive Order (EO) that seeks to address the concerns set out in the Schrems II decision about US intelligence agencies’ access to EU individuals’ personal data. The EO is a significant step towards an EU-U.S. adequacy decision (expected in Spring 2023, if approved by member states) but, if granted, will that adequacy decision be sufficiently robust to withstand a likely legal challenge?

Now Reading

What's the reason for the EO?

The Court of Justice of the European Union's (CJEU) Schrems II decision in 2020 made the transatlantic sharing of personal data more difficult.

Schrems II

The effect of the Schrems II judgment was to:

strike down the EU's 2016 adequacy decision for the EU-U.S. Privacy Shield (which had replaced the "Safe Harbor" regime); and
require other EU-approved transfer mechanisms, such as standard contractual clauses, to be supplemented by an assessment of the risks involved in the data transfer - a "transfer impact assessment". This includes an assessment as to whether the laws and practices of the territory into which data is to be imported undermine the effectiveness of the safeguards provided by those mechanisms. See our previous briefing here for more detail.

The EO is intended to form the basis of an EU adequacy decision that would allow the free flow of personal data between the EEA and those organisations in the US that adhere to the "EU-US Data Privacy Framework Principles". Data exporters from the EEA would then not need to rely on an alternative transfer mechanism, such as standard contractual clauses, in order to complete that transfer compliantly, nor to undertake a "transfer impact assessment".

It would also mean that data protection authorities across the EU could not suspend transfers of personal data to the US - a risk of significant disruption currently faced by tech giants. Data protection authorities in France, Italy and Austria have warned against the use of Google Analytics in its standard configuration and Ireland's Data Protection Commission is threatening to shut down Meta's EU-U.S. Facebook data flows on the basis that standard contractual clauses do not offer adequate protection in respect of those transfers.

What does the EO do?

The EO follows the joint EU-U.S. announcement of a "deal in principle" in March 2022 on what is now called the "EU-U.S. Data Privacy Framework". The EO:

requires US intelligence agencies only to collect data for specific national security purposes where necessary and in a manner that does not disproportionately impact privacy rights and civil liberties. Agencies must update their policies and procedures to align with the EO’s guidelines;
puts in place measures to oversee compliance, including a Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO); and
establishes a tiered redress mechanism to review and resolve complaints concerning US signals intelligence activities, comprising: (i) a CLPO investigation; and (ii) a Data Protection Review Court to provide an independent and binding review of the CLPO’s decisions.

What are the next steps?

The EO serves as the basis for a draft adequacy decision by the European Commission. The European Data Protection Board will then issue an opinion (which is non-binding, but nevertheless typically followed) on the draft adequacy decision and it must then be formally approved by EU member state representatives. The process is likely to take until March 2023, at the earliest.

What does it mean for the UK?

While the EO is not strictly relevant to data exports from the UK under the UK GDPR, the UK will be eager to build on it for the purposes of making its own adequacy finding in respect of the US.

The UK welcomes the release of the Executive Order…and intends to work expediently to conclude its assessment, with the aim of issuing an adequacy decision that will restore a stable and reliable mechanism for UK-US data flows

UK-US Joint Statement: New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy, 7 October 2022

In turn, the US has said that it intends to work to designate the UK as a qualifying state under the EO to enable UK individuals to access the redress mechanism established under the EO.

But would an adequacy decision, based on the EO, last?

The burning question is of course whether an adequacy decision based on the EO is likely to be struck down like its predecessors, the Privacy Shield and Safe Harbor? It is highly likely to be challenged.

At first sight it seems that the core issues were not solved and it will be back to the CJEU sooner or later

Max Schrems

Max Schrems' noyb.eu website promises a full response in due course, but suggests that potential areas that he might challenge include:

the fact that this is an Executive Order, instead of legislative change;
whether the US surveillance practices in fact match the CJEU's test of proportionality (even though the EO uses the words "proportionate" and "necessary");
whether the redress mechanism is deficient.

What to do in the meantime?

Until an adequacy decision is implemented, organisations are required to comply with the Schrems II judgment and EDPB guidance. This means continuing to map data transfers, identifying an EU approved transfer tool (e.g. standard contractual clauses), undertaking a transfer impact assessment and adopting supplementary measures (which may include technical, contractual or operational safeguards) where appropriate.

In relation to the EU's "new" (June 2021) standard contractual clauses, it is worth noting the deadline of 27 December 2022 to transition existing data transfer arrangements based on the old EU model clauses to the new clauses.

Read Louisa Chambers Profile