Author: Annalisa Ricchiuti, LL.M in Intellectual Property and Competition Law-Munich Intellectual Property Law Center (MIPLC), 2020-2021
Editor: Bobbie Smith, MA Geography University of Aberdeen 2016-2020 / Graduate Diploma in Law University of Exeter 2020-2022
In October 2022, US President Biden signed the long-awaited Executive Order on Enhancing Safeguards for the United States Signals Intelligence Activities[1] (the “Executive Order”) in pursuit of driving the next stage of the US-EU Transatlantic Data Privacy Framework and forecasting the proposed European Commission US-adequacy decision[2].
The Executive Order was catalysed by preceding two rulings – Schrems I [3] and II [4] – from the Court of Justice of the European Union ( the “CJEU”) which invalidated the Commission’s adequacy decision in response to the EU-US Privacy Shield – a framework used for EU-US data transfers.
The CJEU rendered de facto illegal any personal data transfer from the EU to the US, declaring the legislation not adequate in safeguarding fundamental rights granted under the GDPR. The Court found that GDPR would apply to any kind of data transfer conducted outside of the European Economic Area, whereby data subjects are entitled to protection equivalent to that guaranteed within the EU through the GDPR – as interpreted by the Charter of Fundamental Rights of the European Union. The Court specified that – while assessing if the aforementioned level of protection was warranted – the facets taken into account are not only the clauses agreed upon by the private entities involved in the data transfer but also whether public authorities of third countries can gain access to the data, and the relevant aspects of the legal system. In the absence of a Commission adequacy decision for the US, the Court required that supervision authorities suspended and/or prohibit transfers of personal data to third countries in any case where the protection granted under EU law cannot be reached by other means. The Court concluded, stating that the limitations on the protection of personal data descending from the US law on data access by US authorities cannot satisfy requirements that are essentially equivalent to those required under EU law. By the principle of proportionality, the surveillance activities based on those provisions are not limited to what is strictly necessary[5].
Latter to this decision, the Executive Order is in purist of defining what is ‘necessary and proportionate’ for the US Government Agencies’ surveillance activities, as well as seeks to establish a redress mechanism inclusive of creating the Data Protection Review Court. The Executive Order was passed by the European Commission after the review of measures, contained therein, to ensure that the rights of European citizens remain safeguarded. The judgement, which is still in draft, will most likely make transatlantic data transfers possible again. Albeit the positive outcomes of the European Commission evaluation, the Executive Order presents many controversial points; principally redress mechanism and lack of definition(s).
Redress Mechanism
The most contentious part of the negotiation roots from the former Privacy Shield, which was established by an Ombudsman, to the present Data Protection review whereby the Court will be independent and composed of people external to the US Government. The components will be removed only if conducted for criminal liability (or similar reasons) and shall have full access to the documents from the Intelligence Community, assisted by a first round of investigation with support from the Chief of ODNI Civil Liberties, Privacy, and Transparency Office.
In addition, a Special Advocate shall be appointed in case of complaints and formulate questions for the Court. With a note, a Special Advocate is an individual with relevant experience in the field, who is appointed by the Data Protection Review Court through the procedures prescribed in the Attorney General’s regulations. The Special Advocate will ensure that the complainant’s interests are represented before Court, as well as assist the panel in its consideration of the application for review. Nonetheless, it is still controversial whether the redress mechanism will meet the criteria set up for the European Union and whether the system will be enough to guarantee the respect of fundamental rights.
On the other hand, the Executive Order states that every agency has to follow the finding of the Court, whereby the Court can request the relevant agency to delete the files. If the agency does not follow the Court’s order, this would mean that the agency is de facto in breach of a presidential order – giving highly binding power to non-military and even military agencies.
Will the full binding effect meet the EU requirements that the previously appointed Ombudsman could not meet? In light of these considerations, the question of whether the Executive Order will survive a challenge brought in front of the Court of Justice remains open.
To provide perspective, the EU-US data transfer framework was not the only guideline shaping the future of data transfers – at the same time the Executive Order was issued, the US-UK Data Transfer Agreement [6] came into force, and the UK landmark decision with South Korea was being finalised.
With regard to the former, the Data Access Agreement on Access to Electronic Data to counter Serious Crime aims to simplify the request process for US-UK cross-border criminal investigation disclosures in cases involving terrorism, transnational organized crime, and other crimes.
The Data Access Agreement impacts UK-US relevant personal data transfers- thus in future, it might also impact the EU-UK adequacy decision issued by the European Commission before Brexit. Nonetheless, such risk could be mitigated by a formerly mentioned US draft adequacy decision.
Similarly, the UK adequacy decision for data transfer to South Korea[7] might cause the European Commission to reconsider the status quo for the UK.
The rules of data transfer, especially from the European Union, are rapidly changing through a bilateral agreement between States, but also on a superior, international, and more complex scale[8]. As an example, in December 2022, the OECD States comprising all the EU Member States, the US and the UK – issued a Declaration on Government Access to Personal Data held by Private Sector Entities (the ”Declaration”) with the collective intention to safeguard privacy when accessing personal data for national security and law enforcement purposes. The Declaration aims to facilitate collaboration between countries on the rules regulating dataflows and to regulate governments’ access to personal data as well. The Declaration prescribes that government access shall be carried only in specific cases according to the law and ‘in a manner that is not excessive’ respecting the principles of necessity and proportionality. Each OECD country will implement and interpret the principles set forth in the Declaration according to its own legal framework.
The need to balance the protection of fundamental rights with other (and equally important) needs -such as conducting transnational criminal investigations for specific categories of serious crime- has urged the collaboration of States with profoundly different legal backgrounds. At the same time, private sector entities are invoking a uniform framework, or at least a clear one, because conducting business with integrity and ensuring legal compliance is possible only when the rules are clear and consistent.
Definitions
To add further fuel, the absence of definitions – such as “necessary and proportionate” – instantiates a spark of the contract of interpretation between the EU and US legal cultures and frameworks. In turn, authorities are flexible to revise each scenario on a case-by-case analysis. Academics raise whether a linear definition is essential since a definition for the sake of a definition could add further complexity, or in this instance further misconceptions. However, as a counterargument, lack of definition(s) are sought in instances where data access is not necessary under the European Charter of Fundamental Rights but could be necessary under the US Constitution, and vice versa.
The future framework of international data privacy remains loosely in the draft. However, what can be forecasted is the velocity of demand for harmonised guidelines, clarity on definitions, and legal certainty for citizens. Uniform regulations would provide transparency on how data transfers and data access are conducted, as well as on the legal remedies that are offered across jurisdictions. The current digital revolution and the peak of data mobility allow no room for misconstructions and misinterpretations.
Citation
[1] Fact sheet: President Biden signs executive order to implement the European Union-U.S. Data Privacy Framework (2022) The White House. The United States Government. Available at: https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/ (Accessed: December 31, 2022).
[2] European Commission (2022) Adequacy decision for the EU-US data privacy framework, European Commission. Available at: https://commission.europa.eu/document/e5a39b3c-6e7c-4c89-9dc7-016d719e3d12_en (Accessed: December 31, 2022).
[3] C-362/14 – Maximillian Schrems v Data Protection Commissioner (2015)
[4] C-311/18 – Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (2020).
[5] Ibid.
[6] The United States Department of Justice (2022) Landmark U.S.-UK Data Access Agreement enters into force, The United States Department of Justice. Available at: https://www.justice.gov/opa/pr/landmark-us-uk-data-access-agreement-enters-force (Accessed: December 31, 2022).
[7] UK Department for Digital, Culture, Media & Sport and Lopez, J. (2022) UK finalises landmark data decision with South Korea to help unlock millions in economic growth, GOV.UK. Available at: https://www.gov.uk/government/news/uk-finalises-landmark-data-decision-with-south-korea-to-help-unlock-millions-in-economic-growth#:~:text=deal%20%2D%20boosting%20investment.-,UK%20organisations%20will%20be%20able%20to%20share%20personal%20data%20securely,them%20to%20operate%20and%20grow. (Accessed: December 31, 2022).
[8] Inter alia, see the OECD intergovernmental agreement on a common approach to safeguard privacy when accessing personal data for national security and law enforcement purposes, Declaration on Government Access to Personal Data held by Private Sector Entities (2022) OECD Legal Instruments. Available at: https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0487 (Accessed: December 31, 2022).
This article is written within the Academic Essay Project (AEP) organised by LAWELS. AEP aims to increase the number of quality academic writings on legal topics, encourage young lawyers to participate in academic writing, and lay the foundation of an online database on legal science. The team of legal editors and legal writers share their knowledge through high-end essays that we are publishing on our website and social media accounts for the world to read and learn from.
The articles on the LAWELS platform are not, nor are they intended to be, legal advice. You should consult a lawyer for individual advice or assessment regarding your own situation. The article only reflects the views of the author.