As reported in our previous blogpost, on 7 October 2022, the US White House published an Executive Order on enhancing safeguards for United States signals intelligence activities (EO).
In this blogpost, we set out the key points to note, including the background to the EO, what it does and does not do and what organisations should be doing now.
In the annex of this blogpost, we summarise the key elements of the EO in detail.
Why has the EO been passed?
On 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the previous EU-US Privacy Shield (Privacy Shield)[1] on the basis that US surveillance laws are not compatible with EU law. In particular, the CJEU found that:
- US surveillance laws[2] do not limit access to data for surveillance purposes to what is “necessary and proportionate”; and
- EU data subjects are not granted actionable redress in the courts against US authorities, meaning that EU data subjects therefore have no rights to effective remedy.
What does the EO do?
Whilst the EO does not amend or replace existing US surveillance laws, the EO sets out additional safeguards that are clearly designed to counter both these points. It does this by establishing:
- Safeguards: The EO mandates safeguards to be applied to “signals intelligence activities” (SIAs) by establishing a set of overarching principles. It then sets out legitimate aims for which such SIAs can be undertaken. It also includes prohibited objectives and data handling requirements where intelligence agencies process personal data. “Necessity” and “proportionality” are explicitly referenced in the principles. These are key concepts in EU jurisprudence and their inclusion seems to be an intentional move to address the CJEU’s criticisms; and
- Redress: The EO creates a two-tier redress mechanism. At the first tier, data subjects can, through an appropriate public authority, lodge a complaint with the newly-created independent Civil Liberties Protection Officer of the Office of the Director of National Intelligence (CLPO). At the second tier, the CLPO’s decision can be referred to the Data Protection Review Court (DPRC), which the EO mandates the US Attorney General to establish. Decisions from both the CLPO and DPRC are binding on US intelligence authorities. The redress mechanism is only available to data subjects in countries designated as “qualifying states” by the US Attorney General.
The safeguards and redress mechanism are summarised in greater detail in the annex of this blogpost.
Is the EO an “Adequacy Decision” enabling transfers from the EEA/UK to the US?
No, the EO itself does not replace the invalidated Privacy Shield nor act as an adequacy finding.
The EO does however pave the way for the European Commission to begin its adequacy assessment of transfers to the US for companies that already adhere to the Privacy Shield (as it is amended) by addressing the two key points raised by the CJEU. It will also serve the same purpose in respect of the UK Government’s assessment of UK to US transfers.
What should organisations be doing now with respect to transfers of personal data from the EEA/UK to the US?
It is generally “business as usual” for EEA/UK organisations that export personal data to the US: use the Standard Contractual Clauses (or an alternative permitted export mechanism or derogation) and, as required, conduct transfer impact assessments (TIAs) with reference to the European Data Protection Board’s (EDPB) recommendations.
Organisations can, however, start factoring the EO into TIAs with caution. “Necessity”, “proportionality” and effective redress are key aspects identified in the EDPB’s recommendations in assessing whether personal data is afforded an essentially equivalent level of protection as in the EEA. The safeguards and redress mechanism established by the EO intentionally deal with these points. This should therefore allow organisations to take these elements into account when conducting TIAs for transfers to the US, potentially reducing the risk rating for transfers to the US from the outset.
However, it should be noted that, at this stage, the redress mechanism does not apply to the EEA or the UK as they are yet to be designated “qualifying states”. We assume that such designation is likely to follow, possibly simultaneously with the EU or the UK issuing an adequacy decision in respect of transfers to the US for companies that adhere to the Privacy Shield (as it is amended).
Finally, although the rest of the EO took immediate effect on 7 October 2022, it might take some time before guidance is provided to US agencies as to how to comply with it. As a result, there could be a risk that until the EU adequacy decision is made, EU data protection authorities do not give the EO its full weight in TIAs.
What happens next?
The European Commission will now move to the next step of the adequacy process, which is to propose a new draft adequacy decision and launch the adoption process.
This will require obtaining approval of the adequacy assessment from the EDPB and a committee composed of representatives from EU Member States. The European Parliament also has a right to scrutinise these decisions and issue non-binding resolutions. This process usually takes up to six months, but can go on for longer.
The adequacy decision is likely to take the form of the invalidated Privacy Shield in that it will require US-based companies to self-certify that they adhere to a detailed set of privacy obligations. We consider it likely that the Privacy Shield obligations will be revised to align with the principles and definitions of the GDPR.
What about the UK?
The UK and the US issued a joint statement following the publishing of the EO. According to the statement, the UK welcomes the EO and is working expeditiously to conclude its adequacy assessment of the US. As the UK is no longer tied to the EU adequacy process, the UK may very well reach this decision faster than the EU.
Our take
The EO is a welcome advancement in paving the way for the European Commission and the UK Government to reach adequacy decisions in respect of the US.
We are also of the view that the EO should assist organisations to assess their transfers to the US with greater confidence, although organisations will need to continue to approach their assessments with careful consideration of all the underlying facts and resist the temptation of relying on the EO to “pass” their US TIAs without properly considering its implications.
Notably, data protection authorities will also need to factor in the EO when considering the lawfulness of transfers, risk ratings, and enforcement, which may mean an end to them taking such conservative views of transfers of personal data from the EU to the US.
As to the risk of future adequacy decisions being challenged, the EU Commission’s Q&As on the EU-U.S. Data Privacy Framework states that it does not consider the CJEU will strike down the agreement as the safeguards and redress mechanism in the EO address all the concerns raised in Schrems II. The U.S. Department of Commerce shares a similar sentiment. Organisations should however keep a keen eye on developments in this area. Max Schrems, for example, has already indicated that, in his opinion, the EO does not solve the core issues and that it will be back in the CJEU sooner or later. Whether a third challenge would be successful given the efforts made by the U.S. Government to address the CJEU’s concerns obviously remains to be seen.
For now, the future of transfers of personal data from the EEA/UK to the US looks to be an improving picture.
Annex
This Annex sets out more detail on the safeguards and redress mandated by the EO.
| Safeguards | |
|---|---|
| Principles | The principles are that SIAs must be authorised, subjected to rigorous oversight and subject to appropriate safeguards ensuring that privacy and civil liberties are integral considerations in planning and implementing SIAs. This aims to ensure that SIAs are necessary to advance a legitimate aim and are proportionate to fulfil that aim.
The reference to “necessary” and “proportionate” is important – these are key concepts in CJEU jurisprudence and fundamental rights in the EU. The absence of these principles was a key factor in the invalidation of the Privacy Shield. |
| Legitimate aims | The list of legitimate aims to conduct SIAs consists of a list of twelve objectives, including:
(a) the protection of national security; Bulk collection of signals intelligence continues to be permitted, but the EO states that targeted collection must be prioritised and bulk collection must be authorised based on a determination. There is a separate, narrower list of legitimate aims applicable to bulk collection. |
| Prohibited aims | There are four prohibited objectives in the EO, consisting of SIAs which disadvantage persons based on certain protected characteristics, and SIAs with the purpose of suppressing or burdening/restricting:
(a) criticism/dissent/freedom of expression; |
| Handling personal data | With respect to personal data collected via SIAs, the EO sets out a number of processes that US intelligence agencies must follow. This includes data minimisation, restrictions on retention and dissemination, and deletion requirements (in particular, aligning the approach taken to non-US personal data with the approach taken to US personal data), security and access controls, documentation requirements and requirements to update policies and procedures as necessary to implement the privacy and civil liberties safeguards in the EO. |
| Redress |
|---|
| The EO establishes a two-level redress mechanism.
The first is a newly-created CLPO. Individuals, including EU-based individuals, will be able to lodge a complaint with the CLPO via an appropriate public authority. The CLPO is required to investigate, review and (where necessary), order appropriate remediation in response to a complaint and to inform the complainant of the outcome. The EO sets out a process which the CLPO must follow, as a minimum, when considering and investigating a complaint. It mandates that US intelligence authorities must comply with any determination by the CLPO and undertake appropriate remediation steps as issued by the CLPO. The EO also establishes the CLPO’s independence and prevents their dismissal for actions taken pursuant to the EO. In conjunction with the creation of the CLPO, the EO requires the US Attorney General to issue regulations to establish a DPRC, acting as a second tier to this redress mechanism and to review decisions made by the CLPO on appeal. The judges will be members chosen from outside the U.S. Government with experience in data protection and national security laws. In addition, individuals (acting as complainants) will be provided with a “special advocate” to represent their interests to the DPRC. The DPRC will be able to issue its own binding decisions, which US intelligence authorities must comply with. The European Commission has commented that the redress mechanism is a significant improvement compared to the mechanism that existed under the Privacy Shield (under the Privacy Shield, individuals could turn to an Ombudsperson, which was part of the US State Department (therefore lacking impartiality) and did not have similar investigatory or binding decision-making powers). Access to the redress mechanism is not automatic and is only available to countries/regions that are designated by the US Attorney General as a “qualifying state”. A qualifying state is one where: (a) their laws require appropriate safeguards to the personal data of US-individuals in the context of SIAs; The member states of the EEA and the UK have not yet been designated as “qualifying states”. |
[1] Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case).
[2] Namely section 702 FISA and Executive Order 12333
