Today, the European Commission published the text of the new EU-U.S. Privacy Shield (see the Commission’s press release here), which consists of:

  • a draft adequacy decision;
  • the EU-U.S. Privacy Shield Framework Principles issued by the U.S. Department of Commerce; and
  • the official representations and commitments contained in separate letters from:
    • Secretary of Commerce Penny Pritzker (Annex I);
    • Secretary of State John Kerry (Annex III);
    • Federal Trade Commission Chairwoman Edith Ramirez (Annex IV),
    • Secretary of Transportation, Anthony Foxx (Annex V);
    • General Counsel Robert Litt, Office of the Director of National Intelligence (Annex VI); and
    • Deputy Assistant Attorney General Bruce Swartz, U.S. Department of Justice (Annex VII).

In addition, the European Commission issued a Communication titled “Transatlantic Data Flows: Restoring Trust through Strong Safeguards” which presents the developments and the Commission’s findings since its critical 2013 Communication on the Functioning of the Safe Harbor, a Q&A and a Fact sheet. Continue Reading EU-U.S. Privacy Shield Package Released

As we reported yesterday, the United States and the European Commission have reached a political agreement on a new framework for transatlantic data flows, referred to as the EU-U.S. Privacy Shield.  The U.S. Department of Commerce (“Commerce”) released a fact sheet yesterday to coincide with the announcement of the agreement.

The fact sheet includes a series of bullet points listing ways in which the Privacy Shield (1) “significantly improves commercial oversight and enhances privacy protections,” and (2) “demonstrates the U.S. Commitments to limitations and safeguards on national security.”  On the first point, Commerce states that “EU individuals will have access to multiple avenues to resolve concerns,” including alternative dispute resolution at no cost to individuals.  In addition, Commerce “will step in directly and use best efforts to resolve referred complaints” using a “special team with significant new resources.”  On the second point, the fact sheet references President Obama’s executive actions to enhance privacy protections and oversight relating to U.S. government surveillance activities.  Finally, Commerce states that “the United States is making the commitment to respond to appropriate requests” regarding U.S. intelligence activity, in a manner that is consistent with national security obligations.

On February 3rd, the Article 29 Working Party, representing Europe’s data protection authorities, published its reaction to the announcement of a new “Privacy Shield” political agreement between the European Commission and the U.S. Government.  The Privacy Shield agreement, announced on February 2nd (and further described in our blog post here), is intended to replace the now-defunct Safe Harbor Framework, and may form a future legal basis for transatlantic data flows between Europe and the United States. Continue Reading Article 29 Working Party Reacts to the U.S.-EU Privacy Shield Agreement

Today (February 2nd, 2016), the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows.  The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe Harbor invalid, see our earlier post here).  The EU’s College of Commissioners has also mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement. Continue Reading Agreement Reached on New EU-U.S. Safe Harbor: the EU-U.S. Privacy Shield

On October 7, 2022, President Biden signed an Executive Order directing the steps that the United States will take to implement its commitments under the new EU-U.S. Data Privacy Framework.  The framework was announced by the U.S. and the EU Commission in March 2022, after reaching a political agreement in principle (see our blog post here).

The Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities is intended to address the concerns raised by the Court of Justice of the EU (“CJEU”) in its Schrems II judgment on July 16, 2020, which annulled the EU-U.S. Privacy Shield (see our blog post here).  There, the CJEU held that the U.S. did not provide an “essentially equivalent” level of data protection to that found in the EU, due in part to extensive powers granted to U.S. law enforcement and intelligence agencies to access individuals’ personal data, and an absence of effective legal remedies for EU residents in connection with those powers.  The CJEU focused on two U.S. authorities in particular:  FISA Section 702 and Executive Order 12333.

To address these concerns, the new Executive Order sets forth certain “privacy and civil liberties safeguards” for U.S. signals intelligence activities and creates a new method of redress for non-U.S. persons from “qualifying states.”  In particular, and among other provisions, the Executive Order:

  • Provides that U.S. signals intelligence activities shall be “necessary” and “proportionate” to a “validated intelligence priority.”  The Executive Order provides that U.S. signals intelligence activities may only be conducted following a determination that they are “necessary to advance a validated intelligence priority,” and “only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized.”  Exec. Order § 2(a)(ii)(A).  The Executive Order also specifies certain “legitimate objectives” and “prohibited objectives” for which U.S. signals intelligence activities may be carried out.  Exec. Order § 2(b).  For example, the Executive Order defines “legitimate objectives” to include understanding or assessing the capabilities, intentions, or activities of foreign organizations that pose a current or potential threat to the national security of the U.S. or its allies or partners; protecting against terrorism, the taking of hostages, and the holding of individuals captive conducted by or on behalf of a foreign government, foreign organization, or foreign person; and understanding or assessing transnational threats that impact global security.  Exec. Order § 2(b)(i).
  • Sets forth requirements for the handling of personal information collected through signals intelligence.  Each element of the U.S. Intelligence Community that handles personal information collected through signals intelligence must establish policies and procedures to minimize the dissemination and retention of personal information.  Exec. Order § 2(c)(iii)(A).  For example, under the Executive Order, the U.S. Intelligence Community may not disseminate personal information collected through signals intelligence solely because of a person’s nationality or country of residence, and shall retain non-U.S. persons’ personal information “only if the retention of comparable information concerning United States persons would be permitted under applicable law.”  Exec. Order § 2(c)(iii)(A).  The Executive Order further provides that each element of the Intelligence Community must maintain appropriate training requirements to ensure that employees with access to signals intelligence know and understand the requirements of the Order.  Exec. Order § 2(d)(ii).  The Executive Order encourages the Privacy and Civil Liberties Oversight Board to review the U.S. Intelligence Community’s updated policies and procedures to ensure that they are “consistent with the enhanced safeguards” contained in the Order.  Exec. Order § 2(c)(v).
  • Establishes a mechanism for non-U.S. persons to seek review of the U.S. Intelligence Community’s signals intelligence activities.  Within sixty days of the Executive Order’s issuance, the Director of National Intelligence (“DNI”), in consultation with the U.S. Attorney General and the heads of elements of the U.S. Intelligence Community, shall establish a process for the submission of “qualifying complaints transmitted by the appropriate public authority in a qualifying state.”  Exec. Order § 3(b).  To implement this redress mechanism, the Attorney General may designate a country or regional economic integration organization a “qualifying state” based on a determination, in consultation with the Secretary of State, the Secretary of Commerce, and the DNI, that the country’s or organization’s laws establish “appropriate safeguards” for U.S. persons’ personal information that is transferred from the United States.  Exec. Order § 3(f).  The DNI’s Civil Liberties Protection Officer (“CLPO”) will investigate, review, and, as necessary, order “appropriate remediation” for complaints from qualifying states.  Exec. Order § 3(c).  “Appropriate remediation” may include, depending on the specific covered violation at issue, terminating acquisition of data where collection is not lawfully authorized, deleting data that had been acquired without lawful authorization, or restricting access to lawfully collected data to those appropriately trained.  Exec. Order § 4(a).
  • Creates a Data Protection Review Court to review the CLPO’s determination regarding qualifying complaints.  The Attorney General, in consultation with the Secretary of Commerce, the DNI, and the Privacy and Civil Liberties Oversight Board, shall appoint judges to serve on a newly created Data Protection Review Court, who will be legal practitioners with appropriate experience in the fields of data privacy and national security law, and who may not be U.S. government employees.  Exec. Order § 3(d).  Following the CLPO’s determination, the complainant (or, in the event of an adverse decision against the U.S. government, an element of the U.S. Intelligence Community) may apply to the Data Protection Review Court for review of the CLPO’s decision.  Exec. Order § 3(c)(i)(E).  Upon receipt of an application for review, a three-judge panel of the Data Protection Review Court will convene to review the application and select a special advocate to assist with the review, including by advocating the complainant’s interest in the matter.  Exec. Order § 3(d)(i)(B)‑(C).  The Data Protection Review Court’s determination shall be binding on the U.S. Intelligence Community.  Exec. Order. § 3(d)(ii).

The European Commission will now review the Executive Order and commence drafting a new adequacy decision pursuant to Article 45 of GDPR.  The European Commission must then hear from the European Data Protection Board (“EDPB”) and the EU Member States.  The formal adoption process is expected to take around six months, and may result in the final adequacy decision’s publication in March 2023.

Once adopted, any new framework is certain to be pressure-tested before the EU courts.  To date, a number of privacy advocacy groups have issued statements opining that the new Executive Order is insufficient.

***

The Covington team will keep monitoring any developments on the EU-U.S. Data Privacy Framework and continue to report on them on our blog Inside Privacy.

Introduction

In this update, we detail the key legislative developments in the second quarter of 2021 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and federal privacy legislation.  As we recently covered on May 12,  President Biden signed an Executive Order to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by removing obstacles to sharing threat information between private sector entities and federal agencies and modernizing federal systems.  On the hill, lawmakers have introduced a number of proposals to regulate AI, IoT, CAVs, and privacy. Continue Reading U.S. AI, IoT, CAV, and Privacy Legislative Update – Second Quarter 2021

Sen. Ed Markey (D-MA) and Rep. Ted Lieu (D-CA-33) reintroduced the Cyber Shield Act on March 24, 2021. The proposed legislation is not new to Congress; Sen. Markey and Rep. Lieu previously introduced the Cyber Shield Act in both 2017 and 2019. However, the bill never made it to a vote in either the House or the Senate. Continue Reading “Cyber Shield Act” Calling for IoT Device Certification Reintroduced in Congress

In the wake of the Court of Justice of the European Union’s (“ECJ”) Schrems II decision invalidating the EU-U.S. Privacy Shield (“Privacy Shield”) but upholding the validity of standard contractual clauses (“SCCs”), the U.S. government has released a White Paper entitled “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II.”  The Schrems II ruling requires companies relying on SCCs “to verify, on a case-by-case basis,” whether the level of protections afforded by the SCCs are respected and observed in the recipient country.  According to the cover letter accompanying the White Paper, it “outlines the robust limits and safeguards in the United States pertaining to government access to data” as part of “an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the ECJ’s ruling.”

The cover letter emphasizes that while the White Paper is intended to help companies make the case that they can transfer personal data from the EU to the United States in compliance with EU law, it does not “eliminate the urgent need for clarity from European authorities or the onerous compliance burdens generated by the Schrems II decision.”  It concludes by citing the importance of the “$7.1 trillion transatlantic economic relationship” and stating that “the Trump Administration is exploring all options at its disposal and remains committed to working with the European Commission to negotiate a solution that satisfies the ECJ’s requirements while protecting the interests of the United States.” Continue Reading U.S. Government Issues White Paper on Privacy Safeguards Following Schrems II

The Court of Justice of the European Union’s recent decision in the “Schrems II’ case was one of the most highly anticipated decisions in the world of data privacy, striking down the EU-U.S. Privacy Shield, but upholding the validity of standard contractual clauses.

Tune in to the first episode of Covington’s Inside Privacy Audiocast, where Dan Cooper moderates a discussion with Kristof Van Quathem, who was part of Covington’s case team, on the implications of the judgment. Our speakers offer valuable insights on how companies should pave the way forward in a post-Schrems II environment.

Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.

On June 16, 2020, the First Circuit released its opinion in United States v. Moore-Bush.  The issue presented was whether the Government’s warrantless use of a pole camera to continuously record for eight months the front of Defendants’ home, as well as their and their visitors’ comings and goings, infringed on the Defendants’ reasonable expectation of privacy in and around their home and thereby violated the Fourth Amendment.  The appeal followed the district court’s decision in June 2019 in favor of Defendants’ motions to exclude evidence obtained via the pole camera.  The Government, without obtaining a warrant, had installed a pole camera on a utility pole across the street from Defendants’ residence.  The pole camera (1) took continuous video recording for approximately eight months, (2) focused on the driveway and the front of the house, (3) had the ability to zoom in so close that it can read license plate numbers, and (4) created a digitally searchable log.

In their motions to exclude, the Defendants, relying on Katz v. United States, argued they had both a subjective and objective reasonable expectation of privacy in the movements into and around their home, and that the warrantless use of the pole camera therefore constituted an unreasonable search under the Fourth Amendment.  The Government relied on an earlier First Circuit case, United States v. Bucci, which held that there was no reasonable expectation of privacy in a person’s movements outside of and around their home—“An individual does not have an expectation of privacy in items or places he exposes to the public.”  Thus, Bucci held that use of a pole camera for eight months did not constitute a search. Continue Reading United States v. Moore-Bush: No Reasonable Expectation of Privacy Around the Home