Hungary, 25th October 2022
1. Introduction
On 7th October, the President of the United States of America, Joe Biden has issued a new executive order: U.S. Signals Intelligence Activities; Efforts To Enhance Safeguards (EO 14086). The reason for issuing this new executive order is to use it as a replacement for the Privacy Shield Program (EU-US Privacy Shield Framework) which was invalidated by the Schrems II decision (C311/18). This new executive order is the US side implementation of the new “EU-U.S. Data Privacy Framework”, however, to enter into effect, a new adequacy decision has to be issued by the European Commission, similar to the invalidated Commission Implementing Decision (EU) 2016/1250.
Many European data controllers (and their lawyers) are looking forward to such a new adequacy decision, because the Schrems II decision and the recommendation 1/2020 of the European Data Protection Board (EDPB) made it very difficult for companies under the GDPR to comply with the strict requirements of Article 46-47 when transferring any personal data from the EU to the US.
Although hypothetically, standard contractual clauses and binding corporate rules were not affected by the Schrems II decision, recommendations of the EDPB made even such transfers a lot more riskier in terms of compliance for data controllers. Data exporters relying on the standard contractual clauses of the European Commission or of previously approved binding corporate rules were suddenly expected to carry out analysis of whole legal systems (e.g. USA, China, Russia etc.) as being operated in practice and to implement supplementary technical and contractual measures to bring up national laws “to the level required by EU law”.
First, for the European Commission, it takes an average of 28 months to make such an analysis, but suddenly all SMEs in the EU are expected to do this before allowing any such transfers to the US or having the resources to make a lawyer such a bold statement about the data protection law of e.g. 50 different states.
Secondly, if we take a look at the reasons underlying the invalidation of the Privacy Shield Program (see below), we can see that this is easier said than done, and it might theoretically be impossible for data controllers to fully patch these existing holes up.
Recent decisions of national data protection authorities have further exacerbated this problem, when they have started to prohibit any data transfer to the US of popular services such as Google Analytics.
Having a new adequacy decision will remove all this uncertainty, because data protection authorities will not be able to simply prohibit data transfer based on their own suspicions, until someone first convinces once again the EU Court of Justice of the illegality of the future adequacy decision of the Commission.
Below, we would like to first recall the reasons why the EU Court of Justice found the Privacy Shield adequacy decision invalid in Schrems II, then provide a summary of why this Privacy Framework is (hopefully) different.
2. Schrems I on Safe Harbour and Schrems II on Privacy Shield
Following the revelations of Snowden, the adequacy decision of USA data transfers under the safe harbour principle (2000/520/EC) had been questioned even by the Commission itself. However, the Commission opted for trying to strengthen the principles rather than revoke it (COM/2013/846), but these strengthening measures remained mostly recommendations in nature (e.g. aiming for new umbrella agreements for law enforcement purposes, expecting better supervision by US authorities of the self-certified companies, limiting the national security exceptions to what is proportionate, extending safeguards of US residents to all EU citizens etc., see also COM/2013/847).
However, in the same month as the revelations, a private person submitted a complaint to the Irish data protection authority (Commissioner) regarding the transfer of a social media company of his data to the USA. After the complaint was rejected, the complainant brought an action before the High Court, which referred the case to the Court of Justice of the EU. The direct question was whether data protection authorities were bound by the findings of the European Commission (2000/520/EC) or could they examine in detail whether the safe harbour decision ensured adequate protection in line with Articles 7, 8 of and 47 the Charter of Fundamental Rights of the European Union.
Regarding the direct question, in the case C-362/14 (Schrems I), the Court of the Justice of EU has answered that such data protection authorities can examine such claims of non-compliance, but they cannot adopt measures contrary to that decision of the Commission. However, the Court of Justice went further, and in order to give the referring court a full answer (C-362/14 para 67), they have implied that it was also necessary to examine whether that 2000/520/EC decision complies with the requirements of the data protection directive in effect at the time (95/46/EC). In that part, the Court of Justice has highlighted that (a) the safe harbour principles were intended for self-certified organisations, (b) national security and similar requirements’ have primacy over the safe harbour principles, with no limitations in such interference and without any safeguards for (non-US resident) EU citizens against such interference.
Under the case law of the Court of Justice, interference with the fundamental rights of Article 7 and 8 require legislation to first, lay down clear and precise rules governing the scope and application of a measure and imposing minimum safeguards, and secondly, to be limited what is strictly necessary. Furthermore, Article 47 requires that individuals have the right to an effective remedy before a tribunal, and should be able to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data.
After the invalidation, the High Court of Ireland had referred the issue back to the Irish data protection Commissioner, whose investigations found that Facebook was now using the standard contractual clauses (“SCC”) as published by the European Commission for data transfers. For that reason, the Commissioner have also asked the complainant to reformulate his question.
After the invalidation of 6 October 2015, the European Commission has adopted in a short time a new adequacy decision (Commission Implementing Decision (EU) 2016/1250), which explicitly contained provisions on personal data use by US public authorities as well, including limitations for the use by national security purposes (such as Presidential Policy Directive 28) and references to individual redress (cf. 111-124 of CID (EU) 2016/1250). The US government has committed to create a new oversight mechanism, independent from the US “Intelligence Community”, called the Privacy Shield Ombudsperson.
The reformulated complaint of December 2015 now also covered the SCC mechanism for data transfer, and claimed that even these measures were not in line with Articles 7, 8 and 47 of the Charter. Now, the Commissioner was also of the same opinion, that personal data of EU citizens would be processed by the US authorities in a manner incompatible with Article 7 and 8 of the Charter, and that US law still did not provide citizens with legal remedies compatible with Article 47 of the Charter. The Commissioner has found that the SCCs are not capable of remedying this defect, since they confer only contractual rights on data subjects against the data exporter and importer, without, being binding the United States authorities.
As per the request of the Commissioner, the High Court of Ireland again referred the question to the Court of Justice, highlighting their finding that non-US persons are still not granted effective (personal) remedies (neither under FISA Section 702, that is, 50 U.S. Code § 1881a and nor by the presidential policy directive above, PPD28). Such persons do not have access to litigation based on Fourth Amendment of the US Constitution, and in relation to surveillance measures, it is almost impossible for the claimants to prove that they have a sufficient interest in such matters (locus standi) for the court to decide the merits of the dispute. Furthermore, the High Court has was also of the opinion that the newly introduced Privacy Shield Ombudsperson cannot be considered as a tribunal under Article 47 of the Charter.
In this next decision, C-311/18 (Schrems II), the Court of Justice also examined the validity of the Privacy Shield decision, again, “in order to give the referring court a full answer” (161), and found that invalid.
The main reasons for such invalidity were based on not complying with neither the proportionality of the limitation under Article 52.1 of the Charter, nor with requirements of Article 47 of the Charter for having a public hearing by an independent and impartial tribunal.
The first condition was not met because surveillance programs under Section 702 of the FISA or E.O. 12333 (even with PPD28) do not contain limitations on such implementations of surveillance programmes for non-US persons, and, the US admitted that even PPD28 does not grant any actionable rights for data subjects against US courts.
The second condition was not met because submitting a claim to the Privacy Shield Ombudsperson was not found to be equivalent to bringing legal action before an independent and impartial court (in order to have access to their personal data, or to obtain the rectification or erasure of such data). The political commitment by the US Government was that any element of the intelligence services is required to correct violations detected by the Ombudsperson, but the Court of Justice has found that there no legal safeguards have been implemented to fulfil this promise. The Ombudsperson does not have the power to adopt binding decisions on intelligence services and they are not independent from the Secretary of State.
3. Is it really different this time?
Let’s now take a look at the new Executive Order. In its section 2, it provides wide-ranging principles for signals intelligence activities, regarding their legal basis, and stresses that they are always subject to appropriate safeguards, proportionality etc. It also gives an explicit list of objectives (which may later be updated of course), and also a list of prohibited objectives, including “suppressing or restricting a right to legal counsel” or collection of trade secrets for the US companies to gain competitive advantage. Regarding the privacy safeguards, somewhat generic safeguards are clearly present in section 2(c) requiring a prior determination for a specific signals intelligence collection activity and the necessity for such collection to advance an intelligence priority, and elements of proportionality (“shall consider the availability, feasibility, and appropriateness of other less intrusive sources and methods for collecting the information necessary”, “feasible steps taken to limit the scope of the collection to the authorized purpose”.)
With regard to bulk collection, more detailed requirements are included (section 2(c)(ii)), including finding that the same purposes cannot be accomplished with target collection, and that “reasonable methods and technical measures” should be applied “in order to limit the data collected to only what is necessary”. For bulk surveillance, the list of objectives is shorter, but it still included such widely applicable objectives as “protecting against cybersecurity threats created or exploited by … a foreign government, foreign organization, or foreign person”.
Besides these safeguards, a definite redress mechanism is also included that covers all signal intelligence activities (section 3). The redress mechanism has two levels. The first level of redress starts by the receipt of “qualifying complaints” sent by public authorities in a qualifying state. However, this doesn’t mean that only public authorities may submit such complaints, this rather means (under the definitions) that public authorities of qualifying states (including those of the EU) will first have to verify the identity of the complainant and that the complaint satisfies the requirements of the EO.
This complaint will be investigated by the Civil Liberties Protection Officer (CLPO) of the Office of the Director of National Intelligence in the US, who is entitled to have access to all the necessary information from the intelligence communities, and is expected to document the whole review including factual findings, and create classified reports. There are now explicit provisions in the EO that the decisions of the CLPO will be binding on the intelligence community and its agencies. Independence of this CLPO from the Director of National Intelligence is also clearly stated in the EO, including prohibition of removal of the CLPO outside misconduct etc.
It’s interesting to highlight that the complainant will not receive any information regarding the intelligence activities it was subject to, including whether they were at all subject to such intelligence activities - the reply will only state whether they have identified any violations and issued remediation or not.
Either the complainant or the intelligence community element may apply for a second level of review, a review by the newly established “Data Protection Review Court”. This court will be made of judges who were not employed by the government at the time of their selection, and may not be removed once appointed, in accordance with general rules for judicial conduct. The court shall operate in panels made of three judges and will mostly work based on the complaints and the documentation prepared by the CLPO. Similar to the CLPO, this court is also limited in what it can inform the complainant about.
In summary, we can say that in contrast with the Privacy Shield and its annexes of letters, the new EO has really clarified the legal basis and the safeguards for such intelligence activities. However, against all the best intentions and all efforts of the European Commission in a new adequacy decisions, we may still get into a situation that the Court of Justice still finds these safeguards insufficient. It is not trivial how the above redress mechanism in the new EO can ensure access to data by the data subjects as required by Article 8.2 of the Charter or whether such short answers by the CLPO/DPRC will amount to a right to an effective remedy and a fair trial.
But we also have to keep in mind some other aspects:
a) this kind of access to classified data is not unconditionally ensured under national law in the EU either with regard to intelligence activities;
b) compared to the lack of clear definition of national security in the EU countries (see CCBE Recommendations on the protection of fundamental rights in the context of ‘National Security, p. 12-16.) and the lack of transparency of such activities in the EU, the attempt of this EO of the US at giving a list of objectives for signals intelligence activities and providing safeguards is clearly a step in the right direction.
Even if the EU is not a federal state like the US, from the viewpoint of the protection of fundamental rights as protected by the Charter, at least a more modest degree of harmonisation and transparency could be ensured with regard to limitations related to national security as well.
