SHARE

October 10, 2022

Mark Your Calendars for Schrems III: Key Takeaways from the Latest Developments in the EU-U.S. Data Deal

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

In a string of executive actions unveiled on October 7, 2022, the U.S. government took steps to implement the EU-U.S. Data Privacy Framework (DPF), the third attempt to secure trans-Atlantic data flows after the European Court of Justice's (ECJ) rejection of prior attempts in the Schrems I and Schrems II decisions. In an effort to address the ECJ's concerns over U.S. surveillance law, U.S. President Joe Biden signed an executive order (EO) and U.S. Attorney General Merrick Garland executed new DOJ regulations reforming how U.S. intelligence agencies collect and use personal data. Following these actions, U.S. Secretary of Commerce Gina Raimondo announced the development of new commercial principles to which companies will need to self-certify to participate in the DPF.

Despite all of this, like its predecessor, the DPF is likely to face a legal challenge by privacy advocates, and its long-term prospects are uncertain. Still, the importance of EU-U.S. data transfers cannot be overstated in today's global economy. Many companies will find it worthwhile to certify to the DPF to streamline their own operations and to assure customers, partners and regulators that they are taking all available measures to protect cross-border data flows.

IN DEPTH


WHAT ARE THE NEW SURVEILLANCE REFORMS?

The new EO is designed to address the ECJ's concerns over the breadth of U.S. surveillance authorities. The EO imposes new limits on the collection and use of personal data by U.S. intelligence agencies. All such intelligence programs must:

  • Be conducted "in pursuit of" one of twelve new "legitimate objectives," including, for example, protecting against terrorism, foreign military, transnational criminal and cybersecurity threats, and related national security objectives;
  • Take civil liberties into account, as well as any available "less intrusive" means, in pursuing the documented objective(s);
  • Not be for "the purpose" of one of four "prohibited objectives," including suppressing privacy or freedom of expression;
  • Adhere to additional, narrower security objectives in the case of "bulk collection"; and
  • Be subject to additional new data minimization, sharing and retention limits.

Second, the EO creates a new "redress" mechanism by authorizing and directing the Attorney General to establish a Data Protection Review Court (DPRC). An Article II body, the DPRC will be empowered to issue decisions on alleged violations of U.S. law. The DPRC will review complaints through a complex process requiring the designation of "qualifying" foreign governments that can transmit complaints on behalf of complainants. The DPRC's decisions will be binding on U.S. intelligence agencies, which will be required to implement "appropriate remediation."

THRICE IN A LIFETIME: WILL THE DPF SURVIVE SCHREMS III?

The new EO represents a clear step forward from the Privacy Shield Framework. The surveillance purpose limitations directly address the ECJ's concerns around necessity and proportionality in Schrems II, and the redress mechanism is designed to allow independent oversight and correct the asserted deficiencies the ECJ found with the Privacy Shield Framework's Ombudsperson.

However, critics of the DPF will likely argue that these reforms do not go far enough. But this time the devil is even more in the details than previously. Indeed, Mr. Schrems has already expressed his view that the DPF is insufficient. His statements raise the specter of a likely Schrems III case challenging the DPF after the framework enters into force in the European Union. Privacy professionals should prepare for yet another extended court battle over the scope and proportionality of U.S. surveillance to play out over the coming years because the following remains true even after the recent changes by the U.S. government:

  • The new surveillance purpose limitations still retain broad "legitimate objectives," potentially creating inconsistency with EU standards of "necessity and proportionality," which require frequent reassessments of the level of existing threats.
  • Surveillance programs under FISA 702 will continue to be conducted without individualized judicial approval (which likely will be an issue in subsequent ECJ reviews) and will not qualify as "bulk collection" under the EO.
  • The DPRC's requirement to grant "appropriate deference to any relevant determinations made by national security officials" may limit the scope of its review over purpose determinations made by intelligence officials.
  • Complainants to the DPRC will not be informed of the disposition of their cases or what "redress" was performed and may have little incentive to bring complaints, which may conflict with the ECJ's prior rulings requiring that data subjects' rights be enforceable.

WHAT DOES IT ALL MEAN FOR COMPANIES?

Despite the DPF's uncertain future, companies should take note of these developments. The DPF has immediate practical value for companies transferring data to the United States pursuant to "transfer impact assessments," which evaluate the risks of specific data transfers under local law. Many of the provisions of the EO can be used to support these assessments on the grounds that intervening changes to U.S. law change the Schrems II analysis.

Finally, once the DPF enters into full force, many companies will find value in signing on to the new DPF even as court challenges proceed. The framework will provide an extra layer of protection for data transfers at a time when these activities pose complex legal challenges for many businesses. So, while questions remain as to whether these most recent actions by the United States will suffice, it is unquestionable that at least for some period of time, they will help companies address the current challenges of EU-U.S. personal data transfers.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

Trending in Telehealth: January 9 - 16, 2023

By Amanda Enyeart McDermott Will & Emery January 19 , 2023

Trending in Telehealth is a new weekly series from the McDermott Digital Health team where we track telehealth regulatory and legislative activity.

That Stings: Consent to Jurisdiction Must Be Effective at Filing to Invoke Fed. R. Civ. P. 4(k)(2)

By Joshua Revilla McDermott Will & Emery January 19 , 2023

The US Court of Appeals for the Federal Circuit, on petition for writ of mandamus, vacated the district court’s transfer order and remanded the transfer to be considered under the clarified parameters of Fed. R. Civ. P. 4(k)(2) and 28 U.S.C. § 1404.

Absent Expressed Rationale of Obviousness, Federal Circuit Calls for Do-Over

By Anisa Noorassa McDermott Will & Emery January 19 , 2023

The US Court of Appeals for the Federal Circuit reversed a ruling by the Patent Trial & Appeal Board (Board) where, on appeal, the US Patent & Trademark Office’s (PTO) rationale for sustaining the Board’s obviousness rejection did not reflect “the reasoning or findings the Board actually invoked.”

More From Privacy

5 Trends to Watch: 2023 Venture Capital

By Chinh H. Pham Greenberg Traurig January 20 , 2023

The current macroeconomic environment, coupled with record increases in valuations over the last several years, is creating an increase in down-rounds, re-pricings, and recapitalizations.

5 Trends to Watch: 2023 Hospitality

By Samantha Ahuja Greenberg Traurig January 18 , 2023

For many hotels, the pandemic exacerbated the challenges of finding enough qualified workers to fill jobs.

Cookies and Other Tracking Technologies May Violate HIPAA

By Karin E. Ross Greenberg Traurig January 18 , 2023

In the midst of significant privacy changes in many U.S. states affecting tracking technologies such as cookies, pixels, and adtech, new lawsuits are alleging entities violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) via impermissible disclosure of protected health information due to the use of these technologies.

Featured Stories
Closeclose
Search
Menu

Working...