Hamburg DPA issues optimistic stance on Executive Order for EU-U.S. Data Privacy Framework

The Data Protection Authority (“DPA”) of the German state Hamburg is one of the first European DPA to publish an optimistic assessment on the U.S. Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” (“EO”) and its ability to meet European standards for data transfers to the U.S., despite rather critical statements from other European DPAs and privacy activists. In the view of the Hamburg DPA, the EO can serve as a basis for a new adequacy decision for EU-U.S. data transfers. In its statement, the Hamburg DPA rejects some of the previously published criticism of the EO and instead insists on a well-founded and an open-ended assessment of the new EO in light of its practical implementation by U.S. government bodies.

Index

Background

The EO of 7 October issued by the U.S. Government (see our blog post for a summary of the EO) is a crucial element on the way to a new adequacy decision of the European Commission for transfers of personal data from the EU/EEA. While the signing of the EO was welcomed by the European Commission and other major stakeholders, there were also voices expressing skepticism whether the legislative changes brought by the EO fully address the requirements specified by the Court of Justice of the European Union (“CJEU”) in its Schrems II decision (C-311/18).

Particularly, the DPA of Baden-Wuerttemberg, as first EU DPA issuing an opinion on the EO, raised several doubts (see our blog post of 28 October 2022). In contrast to these critical voices, the Hamburg DPA, in a statement of 29 November 2022 (see here in German), now takes a more balanced view by pointing at the positive aspects of the EO while at the same time not losing sight of remaining challenges.

Summary of the Opinion

In its opinion, the Hamburg DPA highlights that by granting European citizens guarantees against U.S. intelligence services, the U.S. government has taken a big step towards meeting the European standard for treating the privacy of personal data as a fundamental right. For this reason, the DPA considers the rather reflexive and generalized criticism issued by some stakeholders with regard to the EO to be misplaced. It emphasizes that any final assessment on whether the requirements of the CJEU are addressed depend on various details and the implementation of the EO in practice, as well as on the content of the European Commission's draft adequacy decision.

In addition, the Hamburg DPA made the following key points:

  • For the first time (from an European perspective), U.S. intelligence activities are subject to a proportionality clause. The Hamburg DPA considers this to be positive as it shows the U.S. willingness to limit the scope of government data collection. The Hamburg DPA rejects the common criticism that the U.S. interpretation of "proportionality" does completely correspond 1:1 to the German concept of proportionality. Rather, in the view of the Hamburg DPA, the definition of proportionality in the EO is recognizably based on European constitutional law. An adequacy decision does not require completely congruent legal systems, but merely a level that is essentially the same. The DPA considers it speculative to assume in advance that legal concepts could be inadequately interpreted by U.S. authorities when implemented in practice.

  • The DPA also considers it positive that the aspect of effective legal protection for European citizens against intelligence activities as required by the CJEU has been taken up in the EO. The Data Protection Review Court (“DPRC”) established under the EO, a body with binding decision-making powers, enjoys the status of a court and is staffed with independent judges from outside the executive branch. Among other things, the DPRC can order data erasure and processing restrictions, and if the judicial review process reveals unlawful processing, it must be stopped.

  • On a more critical side, the DPA notes that for EU data subjects the legal protection procedure might lack transparency, as there is no requirement that DPRC decisions must contain information on whether and what remediation action has been taken. Against this background, the DPA concludes that the European Commission will have to thoroughly examine the tension between the U.S. Government’s confidentiality interests and the interests of the European data subjects concerned.

  • Notably, the Hamburg DPA considers the EO to be an appropriate legislative instrument to address the concerns of the CJEU. It expressly states that an executive order is not “second-class law” by referring to the fact that robust interventions such as economic sanctions and counterterrorism have been effectively enforced by presidential order for decades. The DPA also does not see any problem in the fact that the EO could be quickly withdrawn with a change of U.S. Government, as this is also true for parliamentary laws. Furthermore, the European Commission will be able to react to a lifting of the EO with a prompt withdrawal of the adequacy decision.

  • The DPA however expresses concerns that the bulk collection of data by U.S. government agencies is continued, and that it is therefore not clear from the EO text to what extent the new proportionality clause specifically changes bulk collection. In view of the DPA, it is therefore important to closely monitor the future implementation of the EO in practice to identify any undesirable developments.

  • With regard to the current impact of the EU, the Hamburg DPA notes the EO provides for a transition period of up to one year, during which the eighteen U.S. intelligence agencies will need to integrate the guarantees provided for in the EO into their practice. According to information from the Hamburg DPA, many of these intelligence agencies will still need several months for the implementation. Also, the institutional guarantees in form of a complaints body and the DPRC are not yet fully implemented. These implementation timelines must be considered in Transfer Impact Assessments (“TIAs”) that are currently being performed.

Takeaways

The opinion published by the Hamburg DPA is a welcome contrast compared to the sometimes echoed sweeping criticism of the EO. By advocating for an unbiased evaluation of the practical implementation of the EO and its integration into a new adequacy decision of the European Commission for EU-U.S. data transfers, the Hamburg DPA takes a realistic approach which hopefully helps to calm down of the heated debate on U.S. adequacy.

At the same time, the opinion of the Hamburg DPA shows that views on the EO can vary even among German state DPAs. It is therefore essential for companies to closely monitor new developments and statements by local DPAs on EU-U.S. data transfers, as well the further procedure to an adequacy decision by the European Commission. The adaption procedure includes a statement of the European Data Protection Board on the draft adequacy decision which is expected for the near future.

 

Authored by Henrik Hanssen and Amelie Raepple.

Contacts
Henrik Hanssen
Counsel
Hamburg
Index

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.