December Newsletter

Connect December issue

The December edition of the OneTrust PrivacyConnect Newsletter includes exciting news about some of our upcoming Data Privacy Day events and an article from our San Jose Chapter Chair, Paul Lanois.?

But first, as the year draws to close, we want to extend our thanks and gratitude to everyone who has participated at a PrivacyConnect event this year, whether speaking or attending online or in person. The PrivacyConnect community wouldn’t be what it is without your continued support and we look forward to hosting you all again in the new year.

Best wishes for the holiday season and a happy New Year from the OneTrust PrivacyConnect team.

Community update:?Data Privacy Day

Data Privacy is just a month away and we have a lot of interesting things happening to celebrate. From January 23, 2023, OneTrust will be getting the celebrations started with a range of events and Data Privacy Day resources to help you to make the most of Data Privacy Day.??

Below are some events hosted by OneTrust for you to join, and we would love to see you there!

Be sure to visit www.privacyconnect.com to keep an eye out for all upcoming PrivacyConnect meetings and OneTrust events.??

European Commission issues draft adequacy decision for EU-U.S. Data Privacy Framework

Since the European Court of Justice invalidated the EU-U.S. Privacy Shield Framework in the Schrems II decision of July 2020, transfers of personal data from the European Union to the United States have been subject to a high level of regulatory scrutiny.

On December 13, 2022, the European Commission adopted a draft adequacy decision designating the EU-U.S. Data Privacy Framework (Framework) as “adequate” under the GDPR. This decision comes just two months after President Biden signed?Executive Order 14086?"Enhancing Safeguards for United States Signals Intelligence Activities" (EO 14086). EO 14086 introduces new safeguards for U.S. signals intelligence activities that represent a significant milestone for transatlantic data transfers.

The draft adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to the US. By way of reminder, adequacy decisions are one of the tools offered by Chapter V of the GDPR to legitimize transfers of personal data from the EU to third countries, which – according to the European Commission – are found to provide an adequate level of protection of personal data.

The European Commission stated that this draft adequacy decision is based on an in-depth assessment of the EU-U.S. Data Privacy Framework and its obligations for companies, as well as the limitations and safeguards on access by US public authorities to data transferred to the US, in particular for criminal law enforcement and national security purposes.

What safeguards have been introduced under U.S. law?

EO 14086 introduces a number of new safeguards with respect to the collection of personal data by U.S. intelligence agencies:

• First, it places new requirements on the collection and handling of personal data by U.S. intelligence agencies regardless of the subject's nationality. It requires that signals intelligence activities must be "necessary" and "proportionate" to advance a validated intelligence priority and that such activities must be undertaken in pursuit of one of twelve enumerated national security and intelligence objectives.
• Second, it expands the oversight of signals intelligence programs by U.S. government agencies. The Civil Liberties Protection Officer (CLPO), appointed by the Director of National Intelligence (DNI), must conduct an assessment prior to any new intelligence-gathering operations. Bulk collection may only be authorized where the intelligence cannot be reasonably obtained through targeted collection.?Additionally, intelligence agencies must maintain documentation regarding their collection of personal data through signals intelligence and update their policies and procedures to ensure effective oversight of the new safeguards.
• Third, it creates a redress mechanism for individuals from "qualifying states" who claim their personal data has been collected unlawfully through signals intelligence programs. Individuals can lodge a complaint with the CLPO, which has the power to investigate complaints and render binding decisions against intelligence agencies. Individuals can also appeal decisions by the CLPO before the Data Protection Review Court (DPRC), established through?regulations?issued by the U.S. Attorney General. The DPRC will consist of six or more independent judges appointed from outside the U.S. government that have expertise in national security matters. In order to guarantee their independence, these judges will not be subject to the day-to-day supervision of the Attorney General and may not be removed or otherwise subjected to adverse action arising from their service. Special advocates will represent individuals before the DPRC and the decisions of the DPRC will be final and binding.

In what way is the new redress mechanism different from the previous Privacy Shield Ombudsperson?

EO 14086, together with the accompanying Regulation, establishes a new two-layer redress mechanism, with independent and binding authority.

Under the first layer, EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protection Officer' of the US intelligence community. This person is responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights.?

Under the second level, individuals will have the possibility to appeal the decision of the Civil Liberties Protection Officer before the newly created Data Protection Review Court. The Court will be composed of members from outside the US Government, who are appointed on the basis of specific qualifications, can only be dismissed for cause (such as a criminal conviction, or being deemed mentally or physically unfit to perform their tasks) and cannot receive instructions from the government. The Data Protection Review Court will have powers to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies, and will be able to take binding remedial decisions. For example, if the DPRC would find that data was collected in violation of the safeguards provided in the Executive Order, it will be able to order the deletion of the data.

To further enhance the Court's review, in each case, the Court will select a special advocate with relevant experience to support the Court, who will ensure that the complainant's interests are represented and that the Court is well-informed of the factual and legal aspects of the case. This will ensure that both sides are represented, and introduces important guarantees in terms of fair trial and due process.

What are the next steps in the process?

The draft adequacy decision was sent to the European Data Protection Board (EDPB) for it to provide its opinion on whether the new EU-U.S. Data Privacy Framework is sufficient to ensure an equivalent level of protection for personal data transferred from the EU to U.S. companies. Afterwards, the Commission will need to obtain the green light from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions.

Once the adoption process is complete, the adequacy decision will be finalized. The adoption process for the EU-U.S. Data Privacy Framework is expected to take around six months.

What are the options available to companies in the meantime?

It is important to remember that an adequacy decision is not the only tool for international transfers.

Standard Contractual Clauses ("SCCs"), which companies can introduce in their commercial contracts, are the most commonly used mechanism to transfer data originating from the EU. In 2021, the European Commission adopted?modernised the SCCs?to facilitate their use, taking into account the requirements set by the Court of justice in the Schrems II judgment. Practical guidance to companies relying on Standard Contractual Clauses for transferring data is also?available.

Importantly, the European Commission has indicated that all the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) will be available for all data transfers towards companies located in the US under the GDPR, regardless of the transfer mechanisms used. In other words, these safeguards will be helpful for transfer impact assessments, including for transfers conducted under the SCCs.