DATA PROTECTION
Reactions to the US Executive Order implementing the EU-US DPF
The White House announced, on 7 October 2022, that US President Joseph Biden, had signed, on the same date, the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which directs the steps that the US will take to implement its commitments under the European Union - U.S. Data Privacy Framework ('EU-US DPF'), as announced in March 2022. In response to the Executive Order, the European Commission released its Questions and Answers ('Q&As') and announced that it will now prepare a draft adequacy decision, as well as launch its adoption procedure, a process which could take up to six months.
Since the announcement, various data protection authorities and industry bodies have published their first reactions.
Data protection authorities and government bodies
UK
The UK Secretary of State for Digital, Culture, Media and Sport and the US Secretary of Commerce issued, on 7 October 2022, a joint statement, confirming plans for the UK to review the order and to prepare for an adequacy decision for UK-US data flows in early 2023.
Switzerland - FDPIC
The Federal Data Protection and Information Commissioner ('FDPIC') issued, on 7 October 2022, a statement taking note of the signature of the order, regulations, factsheet and Commission's Q&As, stating that it is currently analysing the same.
Denmark - Datatilsynet
The Danish data protection authority ('Datatilsynet') published, on 7 October 2022, its statement on the order, outlining that it is not itself a basis for transfers of personal data, until the Commission has approved an assessment that, overall, states that there is a sufficient level of protection for personal data in the US. Furthermore, Datatilsynet indicated that the collection of personal data must be proportionate and limited to what is strictly necessary, and EU citizens who have their personal data processed by US intelligence services must have access to effective legal remedies, including an independent appeals body.
Other
NOYB
None of your business ('NOYB') released, on 7 October 2022, a statement in which it issued its first reaction to the order. In particular, NOYB concluded that the order would be unlikely to satisfy EU law and outlined various concerns upon initial inspection. Crucially, NOYB stated that, should the decision of the Commission not remain in line with EU law and the relevant Court of Justice of the European Union ('CJEU') judgments, NOYB will likely bring another challenge before the CJEU.
Future of Privacy Forum
The Future of Privacy Forum ('FPF') issued, on 7 October 2022, a statement from its CEO, Jules Polonetsky on the order. In particular, Polonetsky's statement welcomed the order, but noted that important legal discussions must take place regarding the exact nature of the judicial redress and oversight mechanism, restrictions on bulk collection, and the reciprocity requirement for redress, which requires any country to implement safeguards for US citizens' data to benefit from the system.
EPIC
The Electronic Privacy Information Center ('EPIC') released, on 7 OCtober 2022, a statement in which it issued its first reaction to the order. In particular, EPIC provided that the order would be unlikely to satisfy the CJEU standards for privacy protection. More specifically, EPIC noted that while the order does provide some privacy safeguards, it does not fully bar the use of bulk collection methods by US intelligence agencies. Likewise, EPIC also detailed the complexity of the redress mechanism and the lack of any notice provisions.
In addition, EPIC Executive Director, Alan Butler stated that "The new Data Protection Review Court is a step in the right direction, but the Administration must ensure that existing barriers to redress - such as notice, excessive secrecy, and undue deference to national security authorities - do not continue to stymie independent, meaningful efforts to vindicate privacy rights".
TACD
The Transatlantic Consumer Dialogue ('TACD') released, on 7 October 2022, a statement in which it issued its first reaction to the order. In particular, the TACD stated that following its first analysis of the order, it had found that the new measures would not provide adequate protection to European consumers' fundamental privacy and data protection rights established under the EU Charter of Fundamental Rights and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). More specifically, the TACD noted the following with regard to the inadequacy of the new measures introduced by the order:
ACLU
The American Civil Liberties Union ('ACLU') released, on 7 October 2022, a statement in which it issued its first reaction to the order. In particular, the ACLU concluded that the order does not meet basic legal requirements in the EU, noting that that the order without more cannot cure the deficiencies of the US surveillance regime. Moreover, Senior staff attorney at the ACLU, Ashley Gorski, stated that "to protect our privacy and to put transatlantic data transfers on a sound legal footing, Congress must enact meaningful surveillance reform". Furthermore, the ACLU is calling on Congress to radically reform US surveillance laws to rein in warrantless spying, and to ensure that there is a meaningful opportunity to challenge the government's surveillance, noting that the following reforms are necessary to include:
BBB
The BBB National Programs ('BBB') issued, on 7 October 2022, a statement from its Vice President, Dona Fraser, on the Executive Order. In particular, the BBB praised the the U.S. Department of Commerce, and their counterparts in the European Commission for lifting the cloud of uncertainty that has been hanging over Privacy Shield for more than two years. Moreover, the BBB highlighted that they are ready to ensure that businesses that have opted to remain self-certified to Privacy Shield will experience a smooth transition to the EU-U.S. Data Privacy Framework Principles.
Since the announcement, various data protection authorities and industry bodies have published their first reactions.
Data protection authorities and government bodies
UK
The UK Secretary of State for Digital, Culture, Media and Sport and the US Secretary of Commerce issued, on 7 October 2022, a joint statement, confirming plans for the UK to review the order and to prepare for an adequacy decision for UK-US data flows in early 2023.
Switzerland - FDPIC
The Federal Data Protection and Information Commissioner ('FDPIC') issued, on 7 October 2022, a statement taking note of the signature of the order, regulations, factsheet and Commission's Q&As, stating that it is currently analysing the same.
Denmark - Datatilsynet
The Danish data protection authority ('Datatilsynet') published, on 7 October 2022, its statement on the order, outlining that it is not itself a basis for transfers of personal data, until the Commission has approved an assessment that, overall, states that there is a sufficient level of protection for personal data in the US. Furthermore, Datatilsynet indicated that the collection of personal data must be proportionate and limited to what is strictly necessary, and EU citizens who have their personal data processed by US intelligence services must have access to effective legal remedies, including an independent appeals body.
Other
NOYB
None of your business ('NOYB') released, on 7 October 2022, a statement in which it issued its first reaction to the order. In particular, NOYB concluded that the order would be unlikely to satisfy EU law and outlined various concerns upon initial inspection. Crucially, NOYB stated that, should the decision of the Commission not remain in line with EU law and the relevant Court of Justice of the European Union ('CJEU') judgments, NOYB will likely bring another challenge before the CJEU.
Future of Privacy Forum
The Future of Privacy Forum ('FPF') issued, on 7 October 2022, a statement from its CEO, Jules Polonetsky on the order. In particular, Polonetsky's statement welcomed the order, but noted that important legal discussions must take place regarding the exact nature of the judicial redress and oversight mechanism, restrictions on bulk collection, and the reciprocity requirement for redress, which requires any country to implement safeguards for US citizens' data to benefit from the system.
EPIC
The Electronic Privacy Information Center ('EPIC') released, on 7 OCtober 2022, a statement in which it issued its first reaction to the order. In particular, EPIC provided that the order would be unlikely to satisfy the CJEU standards for privacy protection. More specifically, EPIC noted that while the order does provide some privacy safeguards, it does not fully bar the use of bulk collection methods by US intelligence agencies. Likewise, EPIC also detailed the complexity of the redress mechanism and the lack of any notice provisions.
In addition, EPIC Executive Director, Alan Butler stated that "The new Data Protection Review Court is a step in the right direction, but the Administration must ensure that existing barriers to redress - such as notice, excessive secrecy, and undue deference to national security authorities - do not continue to stymie independent, meaningful efforts to vindicate privacy rights".
TACD
The Transatlantic Consumer Dialogue ('TACD') released, on 7 October 2022, a statement in which it issued its first reaction to the order. In particular, the TACD stated that following its first analysis of the order, it had found that the new measures would not provide adequate protection to European consumers' fundamental privacy and data protection rights established under the EU Charter of Fundamental Rights and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). More specifically, the TACD noted the following with regard to the inadequacy of the new measures introduced by the order:
- though the wording of the order includes 'proportionality', it does not establish any mechanisms to limit the US mass surveillance systems in place and as such fails to solve the issue of the lack of proportionality of the US surveillance laws and practices; and
- the order does not provide for real judicial redress to European consumers, since the 'Data Protection Review Court' included in the two-step mechanism for redress established therein, might not be a judicial body, but a body within the US government's executive branch.
ACLU
The American Civil Liberties Union ('ACLU') released, on 7 October 2022, a statement in which it issued its first reaction to the order. In particular, the ACLU concluded that the order does not meet basic legal requirements in the EU, noting that that the order without more cannot cure the deficiencies of the US surveillance regime. Moreover, Senior staff attorney at the ACLU, Ashley Gorski, stated that "to protect our privacy and to put transatlantic data transfers on a sound legal footing, Congress must enact meaningful surveillance reform". Furthermore, the ACLU is calling on Congress to radically reform US surveillance laws to rein in warrantless spying, and to ensure that there is a meaningful opportunity to challenge the government's surveillance, noting that the following reforms are necessary to include:
- ending bulk, generalised data collection conducted under Executive Order 12333;
- narrowing the categories of persons who may be targeted using surveillance under Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333; and
- ensuring that individuals impacted by US surveillance are able to challenge improper surveillance in US courts, including by reforming the 'state secrets privilege'.
BBB
The BBB National Programs ('BBB') issued, on 7 October 2022, a statement from its Vice President, Dona Fraser, on the Executive Order. In particular, the BBB praised the the U.S. Department of Commerce, and their counterparts in the European Commission for lifting the cloud of uncertainty that has been hanging over Privacy Shield for more than two years. Moreover, the BBB highlighted that they are ready to ensure that businesses that have opted to remain self-certified to Privacy Shield will experience a smooth transition to the EU-U.S. Data Privacy Framework Principles.
