¹ Art 24 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereafter “GDPR”) – OJ L 119 of 4.5.2016, p 1 “… the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation …”.

² Art 45 GDPR.

³ According to Art 46 GDPR, these safeguards may be provided namely by binding corporate rules approved by a competent supervisory authority or by standard data protection clauses approved by a competent supervisory authority or by the Commission. Currently, the latest version of these standard data protection clauses are those approved by the Commission in its decision of 4 June 2021 (Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council – OJ L 199 07.06.2021, p 31.

⁴ Art 49 GDPR.

⁵ Decision 2016/1250 on the adequacy of the protection provided by the EU–US Data Protection Shield – OJ L 207 pf 1.8.2016, pp 1–112.

⁶ CJEU, “Schrems II” judgment of 16 July 2020 in case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, ECLI:EU:C:2020:559. For an analysis of the case, see, among many others, M Rotenberg, “Schrems II, from Snowden to China: Toward a new alignment on transatlantic data protection” (2020) 26 European Law Journal 141; M Zalnieriute and G Churches, “Rejecting the Transatlantic Outsourcing of Data Protection in the Face of Unrestrained Surveillance” (2021) 80(1) Cambridge Law Journal 8.

⁷ This saga started with the Schrems I ruling (Case C-362/14 Maximillian Schrems v Data Protection Commissioner of 6 October 2015, ECLI:EU:C:2015:650) under the previous data protection Directive 95/46/EC of 24 October 1995. In the Schrems I ruling, the Court invalidated the so-called “Safe Harbour” EC Decision of 26 July 2000 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (2000/520/EC). The Court found that – unlike Commission assertions – the Safe Harbour Scheme did not provide a level of protection for fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in light of the Charter. The Court pointed out that a “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter” (point 94, emphasis added), declared the Safe Harbour Decision invalid and required the Irish Data Protection Commissioner to examine Mr Schrems’ complaint, and it eventually suspended the transfer of data of Facebook’s European subscribers to Facebook servers located in the USA.

⁸ See para 185, “Schrems II”, supra, note 6.

⁹ See para 197, “Schrems II”, supra, note 6. For an analysis post-Schrems II, see G Voss, “Transatlantic Data Transfer Compliance” (2022) 28 Boston University Journal of Science and Technology Law 158.

¹⁰ M Zalnieriute, “Data Transfers after Schrems II: The EU–US Disagreements Over Data Privacy and National Security” (2022) 55(1) Vanderbilt Journal of Transnational Law 1; D Hamilton and J Quinlan, The Transatlantic Economy 2023: Annual Survey of Jobs, Trade and Investment between the United States and Europe (Foreign Policy Institute, Johns Hopkins University SAIS/Transatlantic Leadership Network 2023) p II.

¹¹ Press release of 25 March 2022 <https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2087>.

¹² Executive Order (EO) 14086 of 7 October 2022, on Enhancing Safeguards for United States Signals Intelligence Activities, Sec. 2. Signals Intelligence Activities <https://www.state.gov/executive-order-14086-policy-and-procedures/#:∼:text=14086%20of%20October%207%2C%202022,defined%20as%20countries%20and%20regional>.

¹³ European Commission, 13 December 2022, Questions & Answers: EU–US Data Privacy Framework, draft adequacy decision <https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_7632>.

¹⁴ EDPB Opinion 5/2023 of 28 February 2023 “on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU–US Data Privacy Framework” <https://edpb.europa.eu/our-work-tools/our-documents/opinion-art-70/opinion-52023-european-commission-draft-implementing_en>.

¹⁵ See EDPB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures adopted on 10 November 2020 <https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf>. These recommendations were adopted following the CJEU Schrems II judgment and can be summarised as the provision of four essential guarantees: (1) processing should be based on clear, precise and accessible rules; (2) necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated; (3) an independent oversight mechanism should exist; and (4) effective remedies need to be available to the individual.

¹⁶ European Parliament resolution of 11 May 2023 on the adequacy of the protection afforded by the EU–US Data Privacy Framework (2023/2501(RSP)): <https://www.europarl.europa.eu/doceo/document/TA-9-2023-0204_EN.html>.

¹⁷ ibid, point 19 of the conclusions. The European Parliament considers EO 14086 not to be sufficiently robust for providing a level of protection substantially equivalent to that guaranteed in the EU.

¹⁸ Commission implementing decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU–US Data Privacy Framework, C(2023) 4745 final <https://commission.europa.eu/system/files/2023-07/Adequacy%20decision%20EU-US%20Data%20Privacy%20Framework_en.pdf>.

¹⁹ For a critical assessment, see L Drechsler, A Elbi, E Kindt et al, “Third Time Is the Charm? The Draft Data Privacy Framework for International Personal Data Transfers From the European Union to the United States” CiTiP Working Paper 2023 <https://ssrn.com/abstract=4477120>; M Tzanou and P Vogiatzoglou, “In Search of Legal Certainty Regarding ‘Effective Redress’ in International Data Transfers: Unpacking the Conceptual Complexities and Clarifying the Substantive Requirements” (2023) 16 Review of European Administrative Law 11.

²⁰ See Arts 45.2 and 93.2 of the GDPR and Art 5 of Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers – OJ L 55 of 28.2.2011, pp 13–18.

²¹ Interested organisations initiate the self-certification process, although the DoC will only place an organisation on the DPF list after having determined that the initial self-certification submission is complete. The DoC shall remove an organisation from the list if it fails to complete its annual re-certification or if it persistently fails to comply with the DPF principles.

²² See Annex I of Commission implementing decision of 10.7.2023, supra, note 18.

²³ This is a simplification for the purposes of the report, as the competences, tasks and powers attributed in Chapter VI of the GDPR to the Supervisory Authorities in the EU are here divided between the DoC, the FTC and the DoT, among others.

²⁴ For more details, see paras 64–85 of the decision mentioned supra, note 18.

²⁵ See para 185, “Schrems II”, supra, note 6.

²⁶ Presidential Policy Directive 28 – Signals Intelligence Activities, 17 January 2004 <https://obamawhitehouse.archives.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities>.

²⁷ National Security Memorandum on Partial Revocation of Presidential Policy Directive 28, 7 October 2022 <https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/national-security-memorandum-on-partial-revocation-of-presidential-policy-directive-28/>.

²⁸ EO 14086, supra, note 12.

²⁹ EO 14086, sub-section c “Privacy and civil liberties safeguards”, point ii “Bulk collection of signals intelligence”, supra, note 12.

³⁰ Foreign Intelligence Surveillance Act of 1978, as amended (50 U.S.C. 1801 et seq.).

³¹ See para 197, “Schrems II”, supra, note 6.

³² The Data Protection Review Court (DPRC) is established by the Department of Justice Regulation of 14 October 202, 87 FR 62303, pp 62303–08 <https://www.federalregister.gov/documents/2022/10/14/2022-22234/data-protection-review-court>.

³³ “Qualifying complaint” and “qualifying state” are defined in sections 4(k) and 3(f), respectively, of EO 14086, supra, note 12.

³⁴ EO 14086, section 3, supra, note 12.

³⁵ Art 52 of the Charter of Fundamental Rights.

³⁶ See para 175 of the Schrems II judgment, supra, note 6, and the case law cited there.

³⁷ This is still the position of the European Parliament. See, eg, European Parliament resolution of 20 May 2021 on the ruling of the CJEU of 16 July 2020 – Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”), Case C-311/18 (2020/2789(RSP)), and, more recently, the draft motion for a resolution of the Committee on Civil Liberties, Justice and Home Affairs on the adequacy of the protection afforded by the EU/US Data Privacy Framework of 14 February 2023 (2023/2501(RSP)).

³⁸ As long as the norm is “adequately accessible and formulated with sufficient precision”; see ECtHR, Sunday Times v UK (No 1), 26 April 1979.

³⁹ C-623/17, Privacy International, ECLI:EU:C:2020:790, point 68.

⁴⁰ For a detailed review of the relationship between proportionality and the “respect for the essence test” in light of the CJEU case law, see K Lenaerts, “Limits on Limitations: The Essence of Fundamental Rights in the EU” (2019) 20 German Law Journal 779–93.

⁴¹ Para 180 of “Schrems II”, supra, note 6.

⁴² Para 181 of “Schrems II”, supra, note 6.

⁴³ Mutatis mutandis, see also Privacy International, C-623/17, supra, note 39, para 44: “… according to the settled case-law of the Court, although it is for the Member States to define their essential security interests and to adopt appropriate measures to ensure their internal and external security, the mere fact that a national measure has been taken for the purpose of protecting national security cannot render EU law inapplicable and exempt the Member States from their obligation to comply with that law”.

⁴⁴ For more details, see points 135 et seq. of the abovementioned Commission decision, supra, note 18.

⁴⁵ This two-layer redress mechanism is described in sections c) and d) of EO 14086, supra, note 12.

⁴⁶ “Schrems II”, supra, note 6, point 194 (emphasis added).

⁴⁷ According to Art 52(3) of the Charter, the meaning and scope of the rights guaranteed in the Charter are the same as in the ECHR. However, the Charter may provide more extensive protection.

⁴⁸ Eg ECtHR, 28 June 1984, Campbell and Fell v. UK, no. 7819/77.

⁴⁹ Art 13 ECHR stipulates that “[e]veryone whose rights and freedoms as set forth in the Convention are violated shall have an effective remedy before a national authority”.

⁵⁰ See ECtHR, judgment of 6 September 1978, Klass and others v. Germany, n°5029/71. In para 67, in fine the ECtHR stated that “[i]n the Court’s opinion, the authority referred to in Article 13 may not necessarily in all instances be a judicial authority in the strict sense. Nevertheless, the powers and procedural guarantees an authority possesses are relevant in determining whether the remedy before it is effective.”

⁵¹ Para 195 in fine of “Schrems II”, supra, note 6.

⁵² The two main criteria of independence from the executive have been clarified by the Strasbourg Court: on the one hand, independence is preserved when judges are appointed to sit in an individual capacity and cannot receive instructions from public authorities; what are important are the guarantees offered to judges during their term of office, in particular security of tenure. On the other hand, the second criterion concerns the existence of safeguards against external pressure and the appearance of independence (for more details, see ECHR, 22 October 1984 Sramek v. Austria, n°8790/79 and ECHR, 18 June 1971, De Wilde, Ooms and Versyp v. Belgium, no. 2832/66; 2835/66; 2899/66).

⁵³ See point 3.2.4 of the EDPB opinion 5/2023, supra, note 14.

⁵⁴ Supra, note 50.

⁵⁵ For more details, see EO 14086, sections 3.C (ii) and 3.D (ii), supra, note 12, and Attorney General regulation of 7 October 2022 establishing the DPRC.

⁵⁶ EO 14086 section 3.D (i)(A), supra, note 12.

⁵⁷ For an analysis of this point, see A Savin, “The New Framework for Transatlantic Data Transfers”, CBS LAW Research Paper No. 23-01, p 12 <https://ssrn.com/abstract=4494289>.

⁵⁸ For a proposal of a hybrid solution that could satisfy both parties, see I Rubinstein and P Margulies, “Risk and Rights in Transatlantic Data Transfers: EU Privacy Law, U.S. Surveillance, and the Search for Common Ground” (2022) 54 Connecticut Law Review 391, spec. 447.

⁵⁹ In this sense, the European Parliament Committee on Civil Liberties, Justice and Home Affairs pointed out that, unlike all other third countries that have received an adequacy decision under the GDPR, the USA still does not have a federal data protection law (see European Parliament resolution of 14 February 2023, supra, note 37).

⁶⁰ For an in-depth analysis of the difference between the two systems, see P Schwartz and K Peifer, “Transatlantic Data Privacy” (2017) 106 Georgetown Law Journal 115.

⁶¹ It should be remembered that almost half of the world’s data storage capacity is located in the USA. Thus, on 17 May 2021, France presented its new “National Strategy for the Cloud”, which develops a new doctrine based on French digital sovereignty in order to respond to, among other things, the “extraterritorial” American laws on intelligence and the risks linked to cybersecurity <https://www.economie.gouv.fr/files/files/Thematiques/numerique/Transcript_presentation_strategie_nationale_cloud.pdf>.

⁶² See Art 46 of the GDPR regarding transfers to a third country with “appropriate safeguards” in the absence of an adequacy decision.