International: Overview of the DPRC Regulations
On 7 October 2022, the U.S. Department of Justice's ('DOJ') Office of the Attorney General ('AG') published regulations ('the Regulations') establishing a Data Protection Review Court ('DPRC') within the DOJ1. Hannah Schaller, Jacob Sommer, and Mason Weisz, from ZwillGen PLLC, give an overview of the Regulations, touching on the function and structure of the DPRC and its review process, as well as key considerations for businesses.
The Regulations were issued on 7 October 2022, pursuant to Section 3(d)(i) of the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ('the Executive Order')2. The Regulations create a judicial redress mechanism for non-US citizens affected by US signals intelligence activities.
This directly responds to one of the main concerns raised by the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II Case'), namely the lack of an effective redress mechanism for individuals protected by the EU General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') who claim they were harmed by US intelligence activities under Section 702 of the Foreign Intelligence Surveillance Act ('FISA') and Executive Order 12333.
Along with the other aspects of the Executive Order, the formation of the DPRC will hopefully help provide greater legal certainty for transatlantic data flows. It helps pave the way for an adequacy decision from the European Commission that may:
- recognise a successor to the EU-US Privacy Shield framework; and
- find that the Executive Order's overall framework also sufficiently addresses the CJEU's concerns regarding Section 702 of FISA and Executive Order 12333 for businesses that wish to transfer personal data to the US on the basis of Standard Contractual Clauses ('SCCs').
Function of the DPRC
The DPRC is the second stage of a two-part redress mechanism to review complaints related to US signals intelligence activities. The first stage involves review by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence ('CLPO'), a position created by the Executive Order. A public authority from a qualifying jurisdiction outside of the US submits a complaint to the CLPO, which must conduct an initial investigation and review to determine if the complaint alleges violations of US laws. If so, the CLPO will issue binding determinations requiring any relevant agency or element of the U.S. Intelligence Community ('IC element') to undertake appropriate remedial action. Without confirming or denying whether the complainant was subject to signals intelligence activities, the complainant will be informed that the CLPO's review did not identify any relevant legal violations or that the CLPO issued a determination requiring appropriate remediation.
The DPRC exists to review the CLPO's determinations. A complainant (i.e. a non-US person on whose behalf a public authority submitted a complaint to the CLPO) or an IC element that receives a CLPO determination may apply to the DPRC for review of the determination.
Structure of the DPRC
The DPRC consists of six judges appointed by the AG, in consultation with the Secretary of Commerce, the Office of the Director of National Intelligence (an agency that coordinates initiatives among the various IC elements), and the Privacy and Civil Liberties Oversight Board (an independent executive branch agency that provides oversight of, and advice about, respect for civil liberties, including privacy, within US intelligence activities). These judges must have appropriate experience in privacy and national security law, be licensed to practice law, and not hold any other U.S. Government office while serving on the DPRC. Each judge will hold a four-year renewable term. The AG cannot remove or take adverse action against a DPRC judge except in cases of misconduct, incapacity, or similar circumstances. This structure is intended to ensure that the judges have appropriate expertise and political independence.
The DPRC will also have two Special Advocates serving two-year renewable terms, who must also be licensed to practice law, have appropriate subject matter expertise, and have necessary security clearances. The Special Advocates represent the complainant's interests before the DPRC. They do not have an attorney-client relationship with the complainant, and contact with the complainant is very limited, in the interest of national security.
DPRC compared to Article III courts
Due to constitutional constraints, the DPRC is established within the DOJ, an executive branch agency, rather than within the judicial branch governed by Article III of the U.S. Constitution. This has garnered some criticism, including from Max Schrems' organisation NOYB, but the DPRC's placement in the executive branch is intentional. This placement is what enables it to be a functioning redress mechanism for complaints related to signals intelligence activities.
Under US law, a complainant must have Article III standing to bring suit in federal court (e.g. federal district courts). This means that the complainant must allege that they have suffered an 'injury in fact' - an actual, concrete, particularised harm caused by the defendant that the court can likely remedy. Complaints related to US intelligence activities can seldom allege an injury in fact because the complainant cannot show whether they were subject to intelligence activities; whether such activities were causally connected to some concrete, particularised, actual harm; or whether a federal court could likely redress the harm. Indeed, courts have dismissed cases challenging signals intelligence activities on this base (see Clapper v. Amnesty International USA, 568 US 398 (2013)).
By contrast, a court within the executive branch can adjudicate complaints even when complainants do not have Article III standing. Although the DPRC is not an Article III court, the Regulations require it to be guided by U.S. Supreme Court decisions in the same way as an Article III court, and to interpret and apply the Executive Order according to the principles of US law applied by Article III courts. The judges are also subject to the Code of Conduct for U.S. Judges (with limited exceptions that allow them to engage in certain extrajudicial activities, such as the practice of law, so long as these activities 'do not interfere with the impartial performance of the judge's duties or the effectiveness or independence of the DPRC'). The DPRC is the Government's best effort to establish a court free from the Article III standing requirement, thus providing an effective redress mechanism for intelligence-related complaints, but which also has the independence and interpretive principles of Article III courts.
To have a CLPO determination reviewed by the DPRC, a complainant (via a public authority in a qualifying jurisdiction) must apply for review within 60 days of receiving the determination. The DOJ will convene a panel of three judges from the DPRC to review the determination, and the presiding judge will appoint a Special Advocate to represent the complainant's interests and inform the panel on relevant points of law. The DPRC will review whether the CLPO's determination as to whether a covered violation of US law occurred was legally correct and supported by substantial evidence, and whether any remediation ordered by the CLPO was consistent with the Executive Order.
If the DPRC panel concludes that the CLPO's determination was incorrect or not supported by substantial evidence, that the remediation was not consistent with the Executive Order, or that the CLPO's determination otherwise did not meet the requisite standards, the panel will issue its own determination. The DPRC panel decides by majority vote (two out of the three panel members must agree). The DPRC panel's determinations override the CLPO's determinations and are binding on the U.S. Intelligence Community with the force of law.
After reaching a decision, the DPRC will notify the complainant through the appropriate public authority that the DPRC completed its review and that 'the review either did not identify any covered violations or the Data Protection Review Court issued a determination requiring appropriate remediation'. The notification constitutes final agency action in the matter. The DPRC cannot confirm or deny whether the complainant was subject to signals intelligence activities.
Proceedings before the DPRC and its other activities are governed by Executive Order 13526, which sets forth criteria for classifying information as confidential, secret, and top secret. Like the decisions of the Foreign Intelligence Surveillance Court ('FISC'), the decisions and deliberations of the DPRC will be wholly or partly redacted. This may lead to criticisms about lack of transparency, much as FISC decisions have - but US law requires balancing the need for transparency against the need to preserve the confidentiality of sensitive information related to national security.
Considerations for businesses
The DPRC is a momentous step toward establishing smoother transatlantic data flows. It directly responds to the CJEU's critique that EU residents lack an effective redress mechanism for harms perceived to relate to US intelligence activities under Section 702 of FISA and Executive Order 12333, and thus lack sufficient protections for their fundamental rights under EU law. The Executive Order goes above and beyond this critique because the redress mechanism applies not only to complaints about activities under Section 702 of FISA and Executive Order 12333, but to complaints about any US signals intelligence activity. The Executive Order's other provisions also apply broadly to US signals intelligence at large, including its requirements of necessity and proportionality. Along with the rest of the Executive Order, the DPRC seeks to mend the gaps identified in the Schrems II case and restore easier methods of legalising data flows between the EU and the US.
The Commission is currently considering whether the DPRC and the other requirements of the Executive Order sufficiently address the concerns raised in the Schrems II case. Even if the Commission decides that the Executive Order does solve for these concerns and grants the US a limited adequacy status based on this decision, businesses may still need to rely on SCCs or on the recipient's participation in a successor to the EU-US Privacy Shield for most transfers of GDPR-regulated personal data to the US. Transfer impact assessments ('TIAs') still would likely be required for at least transfers that rely on SCCs. However, even if these measures are still required, an adequacy determination would significantly lower risks associated with these transfers, the DPRC and the other requirements of the Executive Order (when fully implemented) may fully satisfy the concerns raised by the CJEU regarding Section 702 of FISA and Executive Order 12333 in its Schrems II decision.
For now, businesses will continue using the SCCs and TIAs to legitimise many transfers of GDPR-regulated personal data to the US. TIAs can take account of the Executive Order and its requirements, including the DPRC, as mitigating factors that reduce the likelihood that GDPR-regulated data could be accessed under Section 702 of FISA or Executive Order 12333 in a manner that raises GDPR concerns. Even if the Commission does not grant adequacy, the Executive Order significantly strengthens the protections applicable to personal data transferred to US companies.
1. Available at: https://www.govinfo.gov/content/pkg/FR-2022-10-14/pdf/2022-22234.pdf
2. Available at: https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/