International: Breakdown of US Executive Order implementing the EU-US DPF
Since the invalidation of the EU-US Privacy Shield following the Schrems II Case, organisations have been required to find alternative mechanisms for personal data being transferred from the EU to the US in order to ensure an essentially equivalent level of protection is provided. However, following several months of negotiation, on 7 October 2022, the President Joe Biden, signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities1 ('EO') which outlines how the US plans to implement its commitments under the European Union-US Data Privacy Framework ('EU-US DPF'). This constitutes a significant next step towards reinstating an adequacy decision from the European Commission, which would facilitate the transatlantic flow of personal data between the two regions.
Whilst reactions and questions surrounding the protections provided by the EO arise, OneTrust DataGuidance provides an outline of the main provisions of the EO, with comments provided by David Dumont, Partner at Hunton Andrews Kurth, and Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP.
What is the EO and why is it important?
The EO follows an agreement in principle on the transfer framework which was announced by the President of the European Commission, Ursula von der Leyen, in March 2022. Nonetheless, as noted by the Danish data protection authority, the EO is not in itself a basis for transfers of personal data until the Commission has approved its assessment stating that there is a sufficient level of protection for personal data in the US2. The EO does, however, provide forward motion, and, as noted by Kagan, "is huge step taken by the US to address the issues flagged by the EU and to move the data transfer crisis experienced by tens of thousands of companies toward resolution. The EO imposes limits on the collection and processing of information, requires the process to be more structured and thought out, increases transparency, imposes oversight mechanisms; and fortifies the independence of these mechanisms''.
Importantly, the EO includes a binding multi-layer mechanism for individuals to seek redress, mandates the handling of personal data, and adds further safeguards for U.S. signals intelligence activities.
On this point, Dumont notes that, "By putting in place legal safeguards that limit access to personal data by U.S. surveillance authorities to what is necessary and proportionate to achieve specific purposes and implementing more robust oversight through, amongst other things, the establishment of a Data Protection Review Court ('DPRC'), the EO addresses the key issues raised by the Court of Justice of the European Union [in the Schrems II Case]".
What are the key aspects of the EO?
The EO provides that signals intelligence activities must be subjected to rigorous oversight to ensure that they follow the relevant principles. As a consequence, the EO establishes that the legitimate objectives of personal information collection include, among other things, understanding or assessing the capabilities, intention, of a range of threats from foreign governments, terrorist organisations, espionage, cybersecurity, and on personnel.
The EO also provides a series of prohibited objectives regarding the collection and processing of personal information by signals intelligence authorities. These prohibited purposes include:
- suppressing or burdening criticism, dissent, or the free expression of ideas by individuals or the press;
- suppressing or restricting legitimate privacy interests;
- suppressing or restricting a right to legal counsel; or
- disadvantaging persons based on their ethnicity, race, gender, gender identity, sexual orientation, or religion.
Further, the EO clarifies that it is not a legitimate objective to collect foreign private commercial information or trade secrets to afford a competitive advantage to US companies and US business sectors commercially. The only collection authorised is that to protect national security of the US or its allies.
With regard to bulk collection of personal information, the EO requires that targeted collection be prioritised. Specifically, when it is deemed necessary to engage in bulk collection, elements of the intelligence community must apply reasonable methods and technical measures to limit the data collected to only what is necessary to advance a validated intelligence priority, while minimising the collection of non-pertinent information.
According to the EO, bulk collection of personal information may only occur in pursuit of objectives including:
- protecting against terrorism;
- protecting against espionage;
- protecting against threats from the development, possession, or proliferation of weapons of mass destruction;
- protecting against cybersecurity threats;
- protection against threats to personnel; or
- protecting against transnational criminal threats.
Equally, the EO holds that, to minimise the impact on privacy and civil liberties, bulk collection of personal information shall be subject to such safeguards, except where information is:
- used only to support the initial phase of the targeted signals intelligence collection activity;
- retained only for a short period of time required to complete the above phase; and
- thereafter deleted.
The above, however, has not been without criticism. In particular, none of your business ('NOYB') outlined in its reaction to the EO3 that ''[despite that change in wording from 'as tailored as feasible' to 'necessary and proportionate'], there is no indication that US mass surveillance will change in practice [as] the EU and the US agreed to copy the words 'necessary' and 'proportionate' into the EO, but did not agree that it will have the same legal meaning''.
Signals Intelligence Redress
Section 3 of the EO lays down provisions for the creation and functioning of a redress mechanism, which serves the purpose of reviewing qualifying complaints against US signals intelligence activities transmitted by the competent public authority in a qualifying state for any relevant breach of US laws and, if necessary, appropriate remediation to the same.
Indeed, Dumont notes that "Compared to the Ombudsperson under the previous Privacy Shield, the redress mechanism introduced in Biden's EO provides more guarantees for independent, impartial, and effective oversight".
While the EO does not establish the process for the submission of qualifying complaints, it does entrust the Director of National Intelligence, together with the AG and the heads of elements of the Intelligence Community that collect or handle personal information collected through signals intelligence, with such task, which shall be fulfilled within 60 days of the date of the EO, i.e. by 6 December 2022.
Civil Liberties Protection Officer
Similarly, the EO assigns to the Director of National Intelligence, in coordination with the AG, the duty of laying down the procedure through which the Civil Liberties Protection Officer of the Office of the Director of National Intelligence ('CLPO') is authorised to investigate, assess, and, if required, order appropriate remedies for qualifying complaints. The process in question shall ensure, at a minimum, that the CLPO shall, in relation to each qualifying complaint:
- review relevant information;
- exercise its authority to determine whether there was a covered violation;
- determine the appropriate remediation;
- provide a classified report on information indicating a violation of authority subject to the oversight of the Foreign Intelligence Surveillance Court ('FISC') to the Assistant AG for National Security;
- inform the complainant, via the competent public authority in a qualifying state (however without mentioning whether the complainant was subject to US signals intelligence activities), that:
- either the review did not reveal any covered violations or the CLPO issued a determination ordering remediation to the covered violation;
- the complainant or an element of the Intelligence Community may apply for review of the CLPO's determination before the Data Protection Review Court (please see below);
- in case of appeal before the Data Protection Review Court, a special advocate will be selected by the same who will support the complainant's interest in the matter;
- maintain appropriate documentation of the review carried out and deliver a classified decision outlining the basis for its findings, among others;
- prepare a classified ex parte record of review; and
- provide support to the DPRC.
However, with regard to the process followed for qualifying complaints, Kagan cites that "there are already voices that say that recourse is not effective if you don't even know that you have been monitored in the first place. This, however, is an age-old dilemma regarding the balance between the rights of the individuals and the national security interest".
Subject to any determination of the DPRC, the determinations of the CLPO will have binding effect on the Intelligence Community, so that each agency shall undertake the required remediation actions, as compelled by the CLPO.
Further to the above, the Electronic Privacy Information Center ('EPIC') predicted4 that "the complexity of the new redress mechanism, and the lack of any notice provisions, will likely raise concerns among Europeans that it is not a meaningfully accessible way to exercise their rights".
The Data Protection Review Court and Regulations
As required by the EO, the AG issued, on the same day as the EO, regulations5 establishing a DPRC.
In accordance with the EO, the regulations, at a minimum, shall provide that:
- the AG, together with the Secretary of Commerce, the Director of National Intelligence, and the Privacy and Civil Liberties Oversight Board ('PCLOB') shall appoint the judges who will serve on the DPRC, who, among other requirements, must not be employees of the U.S. Government;
- upon receipt of an application for review, a three-judge panel shall be convened;
- upon being convened, the panel shall select a special advocate, to assist the panel and represent the complainant's interests in the matter;
- the panel shall impartially review the CLPO's determinations concerning whether a covered violation has been ascertained and the relevant remedies ordered, relying to this end on the classified ex parte record described under Section 3(c)(i)(f) of the EO, and on relevant decisions of the U.S. Supreme Court;
- in case of disagreement with the determinations of the CLPO, the panel shall issue its own determinations;
- the panel shall provide a classified report on information indicating a violation of authority subject to the oversight of the FISC to the Assistant AG for National Security; and
- upon completion of the review by the panel:
- the outcome of the review same shall be communicated to the CLPO, following the procedure set out by the AG in the regulations; and
- the complainant shall be informed, through the appropriate public authority in the qualifying state (however without mentioning whether the complainant was subject to US signals intelligence activities) that:
- the review did not reveal any covered violations; or
- the DPRC issued a determination ordering remedial actions.
Similar to the provisions established with regards to CLPO, the determinations of the DPRC will have binding effect on the Intelligence Community. The EO confirms, however, that it must remain independent from the AG and the Intelligence Community.
On this, Dumont provides that "It is difficult to assess the practical impact of the DPRC at this stage.
That said, there is no reason to presume that the two-layered redress mechanism laid down in the EO will not be effective […] This is clearly a more robust redress mechanism than the Ombudsperson existing under the previous Shield, which was one of the main concerns raised in the Schrems II Case."
Notably, the EO adds that to implement the redress mechanism above, the AG is authorised to designate a country or regional economic integration organisation as a qualifying state effective immediately or on a date specific by the AG.
More specifically, Dumont adds that "The EO sets forth the procedure for States to be designated as a qualifying State, which requires a decision of the AG, in consultation with the Secretary of State, the Secretary of Commerce and the Director of National Intelligence.
When designating a State as qualifying State, the decision-makers will take into account whether:
- the concerned State's laws lay down appropriate safeguards in relation to conducting signals intelligence activities affecting the personal data of US individuals;
- the State permits or anticipates permitting the transfer of personal information for commercial purposes to the US; and
- the designation would advance the US national interests".
However, the EO provides that the AG may revoke or amend such a designation, should any of the above considerations no longer apply.
What are the business considerations?
As noted, since the Schrems II Case, many organisations have had to carefully review their EU to US transfers while waiting to see if a revamped Privacy Shield would materialise.
As such, Dumont notes that "If adopted, the new Privacy Shield framework will likely provide an operationally less burdensome and more cost-effective mechanism to transfer personal data from the EU to the US. This is particularly true for US-based companies that receive data from many different data exporters in the EU, as Shield certification will remove the administrative burden associated with entering into and maintaining data transfer agreements.
At this point in time, we do not have a full view on the obligations organisations will have under the new Shield framework. That said, we do not expect that organisations that were or are still certified under the previous Shield framework will face significant additional compliance tasks.
Even before the adequacy decision with respect to the new Shield is adopted, EU organisations exporting data to the US may start updating their Transfer Impact Assessments to consider the new safeguards under the EO".
Furthermore, Kagan highlights that "The EO addresses the national security component of the Privacy Shield. The commercial pieces of the Privacy Shield certification likely need to be adapted to the GDPR (as the mechanism was passed before GDPR). However, companies, both who aren't certified and those who are, would do well to look into the requirements for certification and see what they need to do. This would naturally require looking into your transfers; the stated purposes for processing; the real purposes for processing; the measures to protect data etc''.
The EO will now form the basis for the European Commission6 to begin the process for the issuance of a draft adequacy decision, and to launch its adoption procedure thereafter.
However, at the time of writing, a timeline for the process towards a new adequacy decision has not been confirmed and could take up to six months. In the meantime, the White House outlined7 that EO should provide greater legal certainty for companies using Standard Contractual Clauses ('SCC') and Binding Corporate Rules ('BCR') to transfer personal data from the EU to the US.
Comments submitted by:
1. See: https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/
2. See: https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/okt/nyt-om-transatlantiske-overfoersler-af-personoplysninger
3. See: https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-law
4. See: https://epic.org/president-biden-signs-executive-order-creating-new-safeguards-for-u-s-surveillance-programs/
5. See: https://www.justice.gov/opcl/page/file/1541321/download
6. See: https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_6045
7. See: https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/