The US Office of the Director of National Intelligence (“ODNI”) announced today that it has fully implemented new safeguards under Executive Order 14086. See INTEL – ODNI Releases IC Procedures Implementing New Safeguards in Executive Order 14086. These steps clear the path for the European Commission to adopt the draft “adequacy decision” for cross-border data transfers pursuant to the EU-U.S. Data Privacy Framework.
By way of brief background, in July 2020, the Court of Justice of the European Union (“CJEU”) invalidated the adequacy finding for cross-border data transfers under the EU-US Privacy Shield. The CJEU’s decision was largely driven by a perceived insufficiency of privacy protections associated with certain US national security intelligence gathering activity in a decision called “Schrems II.” The CJEU’s invalidation of Privacy Shield created risk under the EU General Data Protection Regulation (“GDPR”) for EU and US companies that exchanged personal data transfers on the basis of Privacy Shield. More information on Privacy Shield and Schrems II can be found here: https://www.connectontech.com/category/privacy-shield/
In response to Schrems II, the US government and the European Commission worked collaboratively to develop a successor transatlantic data transfer arrangement, called the EU-U.S. Data Privacy Framework (“DPF”). From a substantive perspective, among other steps, the US Administration adopted Executive Order 14086 (“EO”). The EO establishes a new process for individuals to seek redress regarding alleged covered violations of law with respect to signals intelligence activities concerning their data that has been transferred from a “qualifying state” to the United States.
The US government needed to take several key steps to implement the EO. In addition to issuing implementing procedures for the EO for each of the ODNI elements and other activities, the US government has now also declared the European Union (“EU”) and European Economic Area (“EEA”) Member States are “qualifying states,” such that local EU and other EEA citizens will be able to file a complaint, which ultimately can trigger review by the ODNI Civil Liberties Protection Officer (“CLPO”), and ultimately the U.S. Data Protection Review Court if needed. The US government’s decision on the qualifying states will be effective upon the European Commission’s adoption of the DFA adequacy decision. These and other activities assure that, as of the time of the European Commission’s adoption of the DPF, the US government will fully comply with the implementation of the EO.
Next Steps. The European Commission has indicated that it expects to adopt the adequacy decision for the DPF by this summer. From that point, the US Department of Commerce (“US DOC”) will provide a grace period of three months in which companies currently self-certified to the Privacy Shield can convert their self-certification to cover the DPF. The US DOC will also provide a means for new companies to self-certify to the DPF, so as to obtain the legal benefits of being deemed to provide adequate protection under GDPR. Although it is expected that EU data protection authorities and others will continue to apply scrutiny to EU-US data transfers, the DPF and associated implementation steps should help to provide more legal certainty for cross-border data transfers and also assure increased privacy protections for such data.