International

Son of Son of Safe Harbor: A Schrems Solution Arrives

Published: Oct. 07, 2022

Today, the U.S. took a giant step toward resolving the “Schrems II” EU data transfer problem, possibly allowing the United States to earn a partial adequacy determination from the European Commission early next year. President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the “EO”), which sets forth some aspects of a new EU-U.S. Data Privacy Framework (“DPF”), and the Department of Justice and Department of Commerce have begun putting other pieces into place. Some details remain to be clarified, and political processes need to occur on both sides of the Atlantic before the arrangement takes full legal effect.  

A potential adequacy determination would still require use of data transfer mechanisms like Standard Contractual Clauses (“SCCs”), Binding Corporate Rules (“BCRs”), or a slightly modified Privacy Shield program for most transfers to the U.S. Transfer impact assessments (“TIAs”) could still be required. However, the U.S. government’s national security surveillance activities would no longer pose a potential legal obstacle for such transfers, which would significantly improve companies’ ability to transfer GDPR-regulated data to recipients in the U.S.

RESOURCES:

More Detail

This EO addresses the two main concerns identified in the European Union Court of Justice’s 2020 Schrems II decision, which invalidated the EU-U.S. Privacy Shield and restricted the use of SCCs and BCRs as data transfer mechanisms: (i) the U.S. government’s allegedly disproportionate collection of signals intelligence data for national security purposes, and (ii) a perceived lack of sufficient redress mechanisms for affected individuals.

While the new redress mechanisms will likely take at least a few months to fully establish, the European Commission has already commented favorably on the EO and stated that it will begin preparing a draft adequacy decision.

The framework addresses the Schrems II decision in three key ways:

1 – Establishes a “Signals Intelligence Redress Mechanism” for Non-U.S. Citizens

A key contention of Schrems II was that EU residents who believed their rights were violated by U.S. surveillance activities did not have an effective redress mechanism. The EO creates a redress mechanism under which the U.S. government will review complaints by non-U.S. citizens in a “qualifying state” (see below) related to U.S. signals intelligence activities. The redress process begins when a resident of a qualifying state submits a complaint to the appropriate public authority in that state, which will then provide the complaint to the U.S. government. The Civil Liberties Protection Officer in the Office of the Director of National Intelligence (“CLPO”) will investigate the complaint to determine whether there was a violation of the EO or other applicable U.S. laws. If so, the CLPO will determine if an appropriate remedy has been granted, and if not, has binding authority to determine appropriate remedies. The EO also directs the Attorney General to establish the Data Protection Review Court (“DPRC”) to review the CLPO’s decisions upon application for review by the complainant or an element of the Intelligence Community. The Department of Justice published regulations establishing the DPRC today. The DPRC is within the Department of Justice, in the Executive Branch, but certain safeguards establish independence in its decision making. 

A “qualifying state” will be designated by the Attorney General in consultation with the Secretary of State, Secretary of Commerce, and the Director of National Intelligence (DNI) based on the three requirements: (1) that the state provides adequate protections to U.S. citizens; (2) that it permits the transfer of data to the U.S. for commercial purposes; and (3) that designation as a qualifying state would advance the national interests of the United States. 

2 – Adds Safeguards for U.S. Intelligence Activities

The EO also establishes principles applicable to all types of U.S. signals intelligence activities, which address the Schrems II critique that U.S. signals intelligence collection was not necessary and proportionate to the goals and purposes of such collection and did not sufficiently respect individuals’ rights and privacy interests. The EO limits signals intelligence activities to situations when less intrusive sources and methods are not available, feasible, and appropriate. It requires signals intelligence activities to be tied to a “validated intelligence priority” and establishes a list of such priorities. Signals intelligence activities must be necessary for the validated intelligence priority and be conducted in a manner that is proportionate to such priority, in order to ensure proper balance between intelligence interests and the privacy interests and civil liberties of all individuals (regardless of citizenship). The EO also requires signals intelligence to have a legitimate objective and establishes a set list of such objectives. These and other limitations restrict when and how signals intelligence can be conducted.

In addition, the EO limits bulk collection of signals intelligence to situations where an interagency committee within the U.S. Intelligence Community determines that bulk collection is necessary to achieve a “validated intelligence priority” that cannot  be achieved with targeted collection. The Intelligence Community must conduct bulk collection such that it is proportionate to the identified priority and must only collect information necessary to advance that priority. This limitation directly addresses EU concerns with bulk collection following Schrems II.

3 – Increases Transparency

The EO increases visibility into U.S. signals intelligence activities by requiring the Privacy and Civil Liberties Oversight Board (“PCLOB”) to review the Intelligence Community’s compliance with the EO and annually review the redress process, including a review of whether the Intelligence Community has complied with decisions and determinations of the DPRC and the CLPO. The PCLOB reports will be made available in unclassified versions.

Next Steps

The decision whether to grant adequacy to the U.S. based on the EO is now in European hands, following the process summarized here. At least until such a decision is granted, for most transfers of GDPR-regulated data to the U.S., companies must continue using data transfer mechanisms such as the SCCs and BCRs and must continue conducting TIAs.