Temporarily Shielded? Executive Action and the Transatlantic Data Privacy Framework
Transatlantic data flows account for more than half of Europe’s data flows and about half of U.S. data flows globally. According to the Congressional Research Service, in 2020, the U.S.-EU trade of information and communications technology (ICT) services and potentially ICT-enabled services was over $264 billion. The European Union and United States have taken somewhat divergent approaches to regulate the digital relationship between government and citizens, imposing limitations on cross-border personal data transfers and seeking to codify personal privacy rights at the heart of the European Union’s ambitious “Digital Decade” packages. The “Brussels effect,” whereby European policies are exported abroad, epitomizes the European approach to digitization. The European approach has been to craft ex ante rules based on the precautionary principle or philosophy that seeks to preempt the deployment of goods and services perceived as potentially risky.
The United States, limited by domestic political impasses, is left awkwardly in the middle. Failure to achieve federal digital standards, both on antitrust enforcement and privacy, has pushed U.S. state legislatures to pursue their own policies, creating a fractured regulatory environment that breeds uncertainty for companies and citizens alike. The U.S. position—or lack of a coherent one—also obfuscates its stance to allies and adversaries, significantly constraining the United States’ ability to influence and enshrine prodemocratic principles in future digital governance.
Q1: What data-sharing framework preceded the Transatlantic Data Privacy (TADP) Framework?
A1: One measure intended to facilitate a more aligned digital approach was the Privacy Shield, which was established in 2016 and replaced the U.S.-EU Safe Harbor Framework, which operated in a similar capacity before it was invalidated by the European Court of Justice (CJEU) in 2015. The Privacy Shield created an “adequacy” agreement following implementation of the General Data Protection Regulation (GDPR). Privacy Shield negotiations have taken place within the International Trade Administration at the Commerce Department, although the White House has taken an interest and played a negotiating role. On the EU side, the European Commission has negotiated the agreement.
In July 2020, the CJEU ruled in Schrems II that the transfer of personal data through the EU-U.S. Privacy Shield Decision was illegal. According to the CJEU, the Privacy Shield failed to meet the required level of protection to conform to EU standards following implementation of the GDPR. It cited the deep scope of U.S. data collection in government surveillance and a lack of redress options for EU citizens. This followed the Schrems I case, which invalidated the Safe Harbor Decision in 2015 for similar reasons regarding the inadequacy of the U.S. data protection system. The EU-U.S. Privacy Shield attempted to address these concerns with a new adequacy framework, yet it was not enough for the CJEU once the GDPR was officially implemented.
In the absence of a formal data-sharing framework, the private sector relies on standard contractual clauses (SCC) under the GDPR. These ensure that appropriate data protection safeguards are used for data transfers from the European Union to third countries. The SCCs are standardized and preapproved model data protection clauses that allow controllers and processors to comply with obligations under EU data protection law. SCCs are used, for example, by data exporters, without the need to obtain prior authorization from a data protection authority. There is no obligation to use SCCs, meaning they can be used on a voluntary basis to demonstrate compliance with data protection requirements. By adhering to the SCCs, data importers contractually commit to abide by a set of data protection safeguards. For SCCs to fulfill the requirements of the GDPR and EU Data Protection Representatives (EUDPR), parties need to enter into a legally binding agreement to abide by them.
Q2: What is the TADP Framework?
A2: In spring 2022, the European Union and United States reached a “Deal in Principle” to reconstitute a data-sharing framework. This new TADP Framework committed the United States to implement new mechanisms that ensure that government surveillance activities and data collection are “necessary and proportionate,” which is intended to limit the authority—although not necessarily the ability—of the U.S. government to obtain large swaths of private and commercial data. Other U.S. commitments include establishing an independent authority, similar to the European Data Protection Board (EDPB), which would independently regulate and oversee the U.S. government’s handling of data. This new body, an independent data protection review court, would also provide European citizens to seek redress through this framework. One of the intended goals of this independent body would be to provide assurance that U.S. intelligence agencies would adhere to civil liberty standards.
Under the TADP Framework, U.S. companies will continue to be required to self-certify through the Department of Commerce as eligible to satisfy GDPR standards. Under this firm-based certification mechanism, companies will self-certify compliance with the key principles originally set forth by the Privacy Shield, including privacy and supplemental principles (secondary liability, data protection authorities). In 2020, when the CJEU invalidated the Privacy Shield, 5,380 companies had already certified eligibility.
Q3: What does the recent executive order change in the transatlantic privacy regime?
A3: The October 2022 Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities grants new legal protections for both Americans and Europeans over how U.S. national security agencies can use citizens’ data. The executive order codifies that U.S. government agencies can only collect data that is “necessary and proportionate” for use by agencies for surveillance purposes, although it remains to be seen how that language will be interpreted, how wide the range of activities permissible under this executive order definition will be, and what would be palatable for the European Union. The four main components of the EO are
- adding further safeguards for U.S. intelligence activities;
- mandating handling requirements for personal information;
- requiring the U.S. intelligence community to update policies and procedures to reflect new privacy safeguards; and
- creating a multilayer mechanism for individuals to obtain independent and binding review and redress.
The civil liberties protection officer, housed in the Office of the Director of National Intelligence (CLPO) will provide an initial review to determine whether a violation of the new privacy safeguards has occurred. The CLPO’s decision will be binding on the intelligence community (IC). The second stage of the review involves the establishment of a Data Protection Review Court (DPRC), which the executive order directs the attorney general to establish. The DPRC will be appointed from outside the U.S. government and will review cases independently. The executive order also obligates the CPLO and DPRC to conduct an annual review of the redress process.
This independent redress authority would seek to mitigate long-standing European criticisms of the Privacy Shield and ombudsperson approaches, which center around questions of how the body functions. A central criticism of the European Union about this approach is that the inherently close nature of the body to the U.S. IC necessarily precludes it from functioning impartially and independently.
Another significant change is that the executive order provides the United States the power to determine whether European surveillance programs adequately protect U.S. citizens’ privacy rights. The U.S. attorney general will decide whether or not European signals intelligence gathering meets U.S. standards.
The TADP Framework will not only invite inquiry from Europeans. The U.S. Congress may also have questions about the framework and what it means for pending privacy legislation at the U.S. federal level. Other stakeholders will also likely be interested in how the implementation of the TADP Framework will enhance U.S. credibility abroad, including vis-à-vis China in international institutions. The reestablishment of a transatlantic data-sharing mechanism could also portend tangible progress for future U.S. free trade agreements. The United States could, for example, use the TADP Framework in place of the United States-Mexico-Canada Agreement (USMCA) digital chapter when negotiating the Indo-Pacific Economic Framework (IPEF) trade pillar, which includes a sub-pillar on digital trade.
Q4: How is the TADP likely to be received in the European Union?
A4: The U.S. executive order also jumpstarts the process for ratification within the European Union. It is anticipated that EU ratification, whereby the TADP Framework will go through the European Parliament for approval, will take approximately six months. It is thus anticipated that the European Union will ratify the agreement in spring 2023. This contrasts with the United States, which will not submit the agreement to Congress for approval, creating an asymmetry among the parties in terms of legislative input and ratification. Furthermore, questions abound about the response of European civil society to the TADP Framework. It is less a question of “if” and more a question of “when” the TADP Framework will receive a legal challenge in the CJEU, casting doubt on the ability of the agreement to withstand a fresh round of legal scrutiny within the European courts. Max Schrems, in a May 2022 open letter to EU leaders, called the U.S. reliance on executive orders “structurally insufficient” and called on a more substantive overhaul of U.S. privacy law.
Q5: Which privacy and data-sharing frameworks are evolving outside of the EU-U.S. bilateral relationship?
A5: The European Union and United States have both been busy negotiating other privacy frameworks. In April 2022, for example, the United States and six partners announced the establishment of the Global Cross-Border Privacy Rules (CBPR). The CBPR is designed to promote interoperability and to bridge divergent global regulatory approaches to data transfers and privacy regulations. Member countries in the CBPR include the United States, Canada, Japan, South Korea, Singapore, the Philippines, and Taiwan.
In 2018 the European Union entered into a data adequacy agreement with Japan. Under the agreement, Japan agreed to adopt supplementary rules that are binding and enforceable and which will be overseen by the Japanese independent data protection authority and the courts. Similar to European demands in the U.S. context, the EU-Japan agreement also contains language stipulating that the Japanese government will only collect data that is “necessary and proportionate.” It also establishes an independent redress system. One critical difference in the EU agreements between Japan and the United States is that the European Union has recognized Japan’s data privacy standards as roughly equivalent to the GDPR. This recognition of Japanese data standards also means that data can flow freely from the European Union to Japan, obviating the need for firm-based certification.
Discussions on data flows and the establishment of privacy standards is also occurring in other multilateral organizations, such as the World Trade Organization (WTO) and Organization for Economic Cooperation and Development (OECD). It is notable that the U.S.-EU Trade and Technology Council (TTC) has sought to avoid this issue. The TTC has focused on charting new standards, for example on technology misuse, but has relied on government agency experts to maintain and conclude a deal replacing the Privacy Shield.
Emily Benson is a fellow with the Scholl Chair in International Business at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Elizabeth Duncan is an intern with the Scholl Chair at CSIS.
Thank you to Scholl Chair interns Apeksha Chauhan, Daniel Elizalde, and Andrea Palazzi for their helpful input.
Critical Questions is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2022 by the Center for Strategic and International Studies. All rights reserved.