On Friday 7 October 2022, President Biden issued an Executive Order on "Enhancing Safeguards for United States Signals Intelligence Activities". The new Executive Order aims to address the legal uncertainty surrounding EU-US data transfers following the invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union ("CJEU") in Schrems II. The EU-US Privacy Shield was invalidated on the grounds that: (i) US intelligence authorities' powers were not sufficiently circumscribed in US legislation to what was necessary and proportionate, and (ii) EU citizens had insufficient means of redress before the US courts to challenge US intelligence authorities' surveillance activities.
The Executive Order introduces new binding safeguards aimed at addressing the CJEU's findings in Schrems II, in particular by: (i) limiting US intelligence authorities' access to data to what is necessary and proportionate to protect national security, and (ii) establishing a new independent and impartial redress mechanism, which includes a new Data Protection Review Court ("DPRC") to investigate and resolve complaints regarding access to data by US intelligence authorities. The Executive Order requires US intelligence agencies to review their policies and procedures to implement these new safeguards.
On 25 March 2022, the European Commission and US Government announced that they had reached an agreement in principle on a new EU-US Data Privacy Framework. The adoption of the Executive Order, accompanying Regulations, along with a series of letters from US agencies to the EU, enables the European Commission to now prepare a draft adequacy decision in favour of the US, otherwise known as the "EU-US Data Privacy Framework" ("EU-US DPF").
What safeguards are included in the Executive Order?
The Executive Order, and accompanying Regulations, implement commitments made by the US in the agreement in principle announced earlier this year.
(i) Limiting US Intelligence Services' Access to Data
The Executive Order requires U.S. intelligence authorities' activities to be subject to additional safeguards. These safeguards include requiring that such activities be: (i) conducted only in pursuit of defined national security objectives; (ii) take into consideration the privacy and civil liberties of all persons regardless of nationality or country of residence; and (iii) be conducted only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorised.
US intelligence authorities are required to designate senior-level legal, and compliance officials to conduct periodic oversight of signals intelligence activities, including to ensure that appropriate actions are taken to remediate incidents of non-compliance.
U.S. intelligence authorities are required to update their policies and procedures as necessary to reflect the new privacy and civil liberties safeguards contained in the Executive Order.
(ii) New Redress Mechanism
The Executive Order creates a two-layer redress mechanism enabling individuals from qualifying states and regional economic integration organizations (as designated in the Order), to seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law, including the enhanced safeguards in the Executive Order.
Under the first layer of review, EU individuals will be able to lodge a complaints with the Civil Liberties Protection Officer ("CLPO") of the US Intelligence Community, who will conduct an initial investigation to determine whether the Executive Order’s enhanced safeguards or other applicable U.S. law were violated and, if so, to determine the appropriate remediation. The CLPO’s decision will be binding on the Intelligence Community, subject to the second layer of review. The Executive Order provides protections to ensure the independence of the CLPO’s investigations and determinations.
Under the second layer of review, individuals will have the opportunity to appeal the decision of the CLPO before the newly created Data Protection Review Court (“DPRC”). Judges on the DPRC will be appointed from outside the U.S. Government, have relevant experience in the fields of data privacy and national security, review cases independently, and enjoy protections against their removal. Decisions of the DPRC regarding whether there was a violation of applicable U.S. law and, if so, what remediation is to be implemented will be legally binding.
To further enhance the DPRC’s review, in each case the DPRC will select a special advocate who will advocate regarding the complainant’s interest in the matter and ensure that the DPRC is well-informed of the issues and the law with regard to the matter.
New Regulations, published alongside the Executive Order, provide for the establishment of the DPRC. The US Department of Justice is expected to publish additional information about the DPRC soon, including the process for individuals to submit applications for independent review by the DPRC of determinations by the CLPO.
The European Commission has stated that the new redress mechanism is "a significant improvement, compared to the mechanism that existed under the Privacy Shield". Previously, individuals could only turn to an Ombudsperson, which lacked both the power to adopt decisions that could bind US intelligence authorities and independence from the executive, since the Ombudsman could be dismissed.
The Executive Order and accompanying Regulations provide the European Commission with a basis to prepare a draft adequacy decision under Article 45 of the GDPR. It is expected that the adoption procedure for the adequacy decision could take up to 6 months. During the process, the European Commission will obtain an opinion from the European Data Protection Board ("EDPB") on the draft adequacy decision, but is not bound by its findings. A qualified majority of EU Member States must then approve the draft decision.
Once the European Commission adopts a formal US adequacy decision, US companies will be able to join the EU-US DPF by self-certifying with the US Department of Commerce, and committing to comply with a detailed set of privacy principles. It will undoubtedly be a welcome relief to self-certified companies transferring data from the EU to the US to be able to rely on the EU-US DTF, and avoid the uncertainties associated with relying on Article 46 transfer tools, including transfer impact assessments and supplementary measures.
However, despite the fact that a new US adequacy decision appears to be very clearly on the horizon, and there is significant EU and US political and industry support for the EU-US DPF, companies should be aware that it is not guaranteed.
Further Legal Uncertainty Ahead?
Although a new US adequacy decision will bring some welcome legal certainty in regard to how to legitimise EU-US data transfers, businesses should be aware that such legal certainty may be short-lived. EU privacy advocate, Mr Schrems, has already alleged that the new Executive Order - on which the US adequacy decision will be based - does not address the concerns raised by the CJEU in Schrems II. In particular, Mr Schrems notes that "bulk surveillance" continues under the new Executive Order and the new Data Protection Review Court is not a real "Court" in the normal legal meaning of Article 47 of the EU Charter or the US constitution, but rather a body within the US government's executive branch, and would not amount to "judicial redress" as required under the EU Charter. It therefore appears likely that any new US adequacy decision based on the Executive Order will be subject to challenge before the CJEU by Mr Schrems and his privacy advocacy group, NYOB, or by another group. The question is whether the EU-US DTF will survive such challenges. Only time will tell.
What should Companies do now?
Whilst we await the adoption of a formal US adequacy decision, which is unlikely to occur before Spring 2023, businesses must continue to put in place an Article 46 GDPR transfer tool (such as the SCCs or BCRs), implement any necessary supplementary measures (having regard to the EDPB Recommendations 01/2020) and carry out a Transfer Impact Assessment, prior to transferring any personal data from the EU to the US.
It is worth noting that the safeguards contained within the Executive Order are available for all EU-US data transfers under the GDPR, regardless of the transfer tool used. Accordingly, companies should start taking account of the new safeguards when carrying out their Transfer Impact Assessments in respect of EU-US transfers, as the safeguards (including the redress mechanism once implemented) should serve to lower the data protection risks associated with such transfers.
It will be interesting to see how EU Data Protection Authorities ("DPAs") react to the safeguards in the Executive Order pending the adoption of a formal US adequacy decision. In any enforcement proceedings regarding EU-US data transfers going forward, EU DPAs should consider the impact of the new safeguards when assessing the lawfulness of the transfer. However, it remains to be seen how the new safeguards will affect existing investigations and draft decisions. It is hoped that the new safeguards will provide greater legal certainty for companies using any Article 46 GDPR transfer tool to transfer personal data from the EU to the US, to the extent that they will reduce the risk of unjustifiable access to transferred data by US intelligence authorities, and enable EU individuals to seek effective redress in respect of any unlawful access.
You can read the European Commission Q&As here, the Executive Order here, the US Government Fact Sheet here, the US Department of Justice page here, and the DPRC Regulations here.