Derek Mooney writes: On 7 October 2022, President Joe Biden signed an Executive Order which the Administration hopes will allow easier, unobstructed EU/US data flows. The Executive Order adopts new American intelligence gathering privacy safeguards and gives legal and administrative effect to the EU/US framework that was agreed between Brussels and Washington DC last March.
As reported by Reuters, officials and businesses on both sides of the Atlantic hope the EO will end the limbo in which thousands of companies found themselves in. U.S. Commerce Secretary Gina Raimondo told reporters the executive order "is the culmination of our joint effort to restore trust and stability to transatlantic data flows" and "will ensure the privacy of EU personal data."
They say the third time is a charm, and we should hope so, as this is the third attempt to address issues with EU/US data transfers after the previous Safe Harbour and Privacy Shield mechanisms were invalidated on foot of decisions of the Court of Justice of the European Union (CJEU/ECJ).
There are many very fine and capable legal interpretations of the very detailed contents of the Executive Order, plus the most comprehensive fact sheets issued by the White House, so we intend to focus more on what happens next, rather than critique the Executive Order itself
On the positive side, there is a general acceptance that the EO is a real attempt by the US administration to respond to the concerns raised by the EU courts in past decisions, particularly Schrems II. In its response to the EO, Schrems own Nyob.eu organisation acknowledges that:
… [the] executive order uses the wording of EU law ("necessary" and "proportionate" as in Article 52 CFR) instead of the previous term "as tailored as feasible" used in Section 1(d) of PPD-28. This could solve the problem, if the US would follow the same understanding and also apply the proportionality test of the CJEU.
But, not surprisingly, they have a sting in the tail. While they welcome the Americans adopt of the Courts language, they – and other privacy activists – claim that the problem now lies elsewhere with the interpretation in US law of these phrases, saying that:
“… It seems the EU and the US agreed to copy the words "necessary" and "proportionate" into the Executive Order, but did not agree that it will have the same legal meaning. If it would have the same meaning, the US would have to fundamentally limit its mass surveillance systems to comply with the EU understanding of "proportionate" surveillance.”
Long story short, the folks whose legal actions led to the Schrems I and Schrems II decisions, now believe that we are coasting to another two to three year long legal action to a potential Schrems III case.
So, what happens now? The consensus is that the European Commission will formally adopt a new adequacy decision under the EU GDPR for the new EO and the Framework in about six months’ time – around March /April 2023). Until then companies will need to use the existing Standard Contractual Clauses and Binding Corporate Rules for international transfers.
Max Schrems, as chair of noyb.eu is presuming the Adequacy Decision will be granted and is already accusing the European Commission of “turning a blind eye on US law again and allowing the continued surveillance of Europeans."
So, what happens next? Well, if past form is a predictor of future action, we can expect a repeat of the past ping-pong cycle of two to three years of data flows permitted by this new Privacy Shield style arrangement, followed by potential Schrems III decision from the CJEU invalidating it.
Two caveats however, the first is the danger of assuming that the CJEU's definition of proportionate will not be impacted by this serious attempt by the US government to move ground and adopt past CJEU decisions. The second is that the Russian invasion of Ukraine has raised European awareness of the threats posed on land, sea, air and cyber and the renewed importance of national security, including intelligence gathering.
The outlook for US/UK data flows is also looking positive, in the short term. The British Government plans to issue a UK/US adequacy decision in early 2023. Meanwhile, on the same day as the Executive Order was published, the UK government announced: "significant progress on UK-US data adequacy discussions" and published a US-UK Joint Statement on a New Comprehensive Dialogue on Technology and Data. But as we have seen in the past, UK political decisions on data transfers can be like London buses… nothing for ages and then three or four arrive at once… all heading in different directions.