On July 10, the two final pieces fell into place to create a new lawful basis for transferring personal data from the European Union to the United States, implementing the EU/U.S. Data Privacy Framework announced last October. Attorney General Merrick Garland designated the European Union and the European Economic Area as “qualifying states” as defined by President Biden’s Executive Order 14086. This designation is crucial, because none of the safeguards in the Framework apply unless the intelligence services of these European countries provide sufficient privacy safeguards for Americans.
Also today, the European Union issued its final decision that the U.S. provides “adequate” protection of privacy, making it clearly lawful for companies and other organizations, such as through Standard Contractual Clauses, to send personal data from the EU to the United States.
The National Security Division of the U.S. Department of Justice has published a detailed, 34-page Memorandum explaining the legal rationale for the Attorney General designation. This post provides initial comments on the Memorandum. I expect to publish within days a more detailed guide to the memorandum.
The Memorandum is important because the Executive Order allows the Framework to go into place only for countries with “appropriate safeguards” for how their intelligence activities protect the privacy of Americans. As the Memorandum explains, the U.S. Framework provides stricter safeguards, in some ways, than the member states of the EU. The Attorney General could only find overall protections good enough, therefore, even though European nations lack some of the detailed safeguards for Americans’ data that the U.S. would apply to the data of Europeans.
As the Memorandum explains, the rationale for the designation of “qualifying states” is straightforward. There are three key bodies of law that provide essentially similar and appropriate safeguards: (1) the Framework; (2) a 2022 OECD Declaration; and (3) the jurisprudence of the European Court of Human Rights (ECtHR), which is the Court that has jurisdiction over EU governments’ national security processing of personal data.
The U.S., the European Union itself, and most of its member states have signed onto the 2022 OECD Declaration on Government Access to Personal Data Held by Private Sector Entities. The Memorandum concludes that the OECD principles “are on the whole similar both to the “minimum safeguards” that the European Court for Human Rights has identified for signals intelligence activities in EU/EEA countries and to the safeguards in Executive Order 14086.”
In my view, for the intelligence activities of EU countries, the Department of Justice has provided a fully researched and thoughtful explanation for why the European Union provides sufficient privacy protections to Americans. The Memorandum shows that some details of European practice are less protective than the Framework. Nonetheless, the U.S. government recognizes that the details of institutional safeguards often vary. As the Memorandum concludes: “different countries, even those sharing democratic values and a commitment to the rule of law, will have legal and national security systems with differing histories and institutions, such that they may legitimately take differing approaches towards enacting privacy safeguards for signals intelligence activities.”
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.