14/10/2022 - In the aftermath of the Schrems II judgment, wherein the Court of Justice of the European Union (CJEU) annulled the contentious ‘Privacy Shield’ adequacy decision governing cross-border data transfers between the European Union (EU) and the United States of America (US), as discussed here, the EU and the US announced that they had agreed in principle on a new Trans-Atlantic Data Privacy Framework (TADPF). This agreement, among other things, outlined certain ‘key principles’ such as the establishment of mechanisms for grievance redressal, monitoring and review, imposition of robust obligations on companies, as well as the formulation of “binding safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate”. To legitimize and implement the aforementioned ‘key principles’ it was agreed that the US will draw up an Executive Order which would then form the premise of the TADPF. In this background and after much anticipation, on 7 October 2022, the White House published an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO).
What does the EO govern?
The EO introduces certain safeguards against the surveillance and interception mechanisms deployed by the US Government through signals intelligence activities, to protect the privacy rights and interests of individuals, particularly those who are subjects of cross-border data transfer to the US. To this end, the EO governs inter-alia the circumstances in which such activities may be undertaken and the redressal mechanisms available to individuals who suspect the infringement of their rights on account of such activities. The EO primarily focuses on the following:
Restricted scope for surveillance and interception through ‘signals intelligence activities'
The EO mandates that surveillance and interception through ‘signals intelligence activities’ may be undertaken only in limited circumstances and goes on to enumerate ‘legitimate objectives’ that justify such activities. The common theme of this list of objectives is national security and national interest. Evaluation of the "capabilities, intentions, or activities" of foreign governments, military or political organizations, protection against terrorism, protection of electoral processes and protection against transnational crimes are some of the objectives listed under the EO. It is noteworthy that the objectives are broadly worded and to that extent their effectiveness in limiting surveillance activities, especially considering the wide scope of US surveillance laws, is questionable.
Interestingly, if the concerned element of the US Intelligence Community determines that a "targeted collection" of personal data does not suffice for the objective of their surveillance activity, bulk interception of signals is permitted under the EO, albeit only for specific objectives pertaining to national security. Such bulk collection of signals is subject to internal authorization mechanisms prescribed by the EO.
Moreover, the EO expressly prohibits the deployment of surveillance and interception through ‘signals intelligence activities’ for certain purposes including suppression or restriction of “legitimate privacy interests”, criticism and dissent, or collection of “private commercial information or trade secrets” to provide competitive advantage to the US.
Safeguards for data collected through signals intelligence activities
Aligning with the agreement in-principle, the EO also prescribes certain safeguards against data collected through signals intelligence activities. It mandates for any such action to be ‘proportionate’, ‘specific’ and "as tailored as feasible" to its objective(s). Requirements of data minimization, retention of data for limited duration, and restricted dissemination of such data are also contained in the EO. What is interesting about these safeguards is their broad and rather vague construction. While the terminology is clearly inspired by the EU legal framework, the point of reference for the interpretation of these terms will be the US laws. Given that the two legal regimes fundamentally differ in the context of data protection and privacy, the effectiveness of these safeguards in meeting the expectations of the CJEU remains doubtful and will certainly make for an interesting development to follow.
Two-tier redressal mechanism
A key feature of the EO is the two-tier redressal mechanism. This mechanism enables individuals belonging to such states and organizations that 'qualify' under the EO, to seek appropriate remedies against violation of their right to privacy on account of suspected collection or mishandling of their personal data by the US Intelligence Agencies through signal intelligence activities. Notably, the redressal mechanism is only available to natural persons, as is the case with the General Data Protection Regulation (GDPR).
A “Civil Liberties Protection Officer of the Office of the Director of National Intelligence” (ODNI CLPO) has been deployed at the first level of the mechanism, to receive and investigate complaints against "covered violations" under the EO and adjudicate upon them. The complaints can be made through the designated public authority of a "qualifying state" or organization and the decision of the ODNI CLPO is binding on both- the complainant and the concerned element of the US Intelligence Community.
In the event that the complainant or the responding agency is not in agreement with the ODNI CLPO’s decision, they can apply for review before the Data Protection Review Court (DPRC) - a specialized Court established by the accompanying Regulation to the EO. The DPRC will comprise of a three-judge panel, appointed by the Attorney General. Judges will be chosen from amongst experts in the field of privacy, data protection and "national security law" and will not remain associated with the US State Departments during their tenure with the DPRC. The DPRC has also been mandated to appoint a special advocate to represent the interests of the Complainant and support the Court in understanding the relevant facts and legal principles applicable to a case.
It is noteworthy that the decision of the ODNI CLPO or the DPRC would not indicate whether the complainant’s data was in fact a subject of signals intelligence activity. The complainant will only be informed about whether the ODNI CLPO or the DPRC identified a violation covered by the EO, and if so, what was determined to be an "appropriate remediation" against such violation. Complainants will not be informed of the "existence, review or outcome" of any review application made before the DPRC by an element of the US Intelligence Community. Lastly, decisions by the DPRC are deemed final.
The scope of "appropriate remediation" under the EO is also limited to redressal of the violation in terms of deletion of data, restriction on its circulation etc. The EO does not contemplate any compensatory relief or damages in this regard. Furthermore, the EO and the accompanying Regulation emphasize that the redressal mechanism will be guided by the precedents set by the US Supreme Court and applicable US laws. This reaffirms the fact that implementation of the EO will be as per the standards for privacy in the US, which do not necessarily align with that of the EU, at present.
Enhanced oversight and accountability
The EO mandates US Intelligence Community undertaking signals intelligence activities to deploy and train senior legal officials, as well as oversight and compliance officials for periodically overseeing that such activities comply with the US laws and the terms of the EO. More specifically, the elements of the Intelligence Community engaging in such activities are required to deploy an Inspector General and a Privacy and Civil Liberties Officer. The Intelligence Community is also required to update their policies and procedures in accordance with the EO within a period of one year. The Privacy and Civil Liberties Oversight Board (PCLOB) has been tasked with annually reviewing the status of such compliance.
The PCLOB is also required to annually review the redressal mechanism to ensure inter-alia that the redress process is in compliance with the terms of the EO and the determinations made by the ODNI CLPO as well as the DPRC are in fact being honored by the concerned agencies. An unclassified report of the annual review is to be made available to the public under the EO.
The European Commission Q&A
The European Commission (EC) has issued Questions and Answers (Q&A) specific to the EO. According to the Q&A, enforceable safeguards against indiscriminate processing of personal data of individuals in the EU by US Intelligence Agencies, as well as the establishment of an “independent and impartial” grievance redressal mechanism are the two primary aspects of the EO.
The new grievance redressal mechanism is, in the opinion of the EC, an encouraging departure from the Ombudsperson appointed under the invalidated Privacy Shield. However, it cannot be ignored that even under the EO, the CLPO is an official of the US Intelligence Community and the DPRC is not a ‘judicial court’ but a body constituted by the US government. On this front as well, it remains to be seen how the independence of the mechanism is ensured in practice. Moreover, given that the EO is an executive order, its susceptibility to change or manipulation with change in the political landscape of the US is unavoidable.
What have been the reactions so far?
Max Schrems’ organization - Noyb.eu is reportedly in the process of analyzing the finer details of the EO but has at the outset, questioned its sufficiency on account of inter-alia it not being a ‘law’ and the fact that it continues to allow for bulk surveillance. The European Consumer Organization (BEUC) has also expressed concern that since the US still does not have a "federal data protection law", the effects of absence of such a law cannot be overcome by the EO. The Electronic Privacy Information Center (EPIC), an American organization for privacy advocacy, as well as the Trans-Atlantic Consumer Dialogue Forum have echoed similar sentiments, available here and here (additional).
On the other hand, the United Kingdom (UK) has welcomed the EO. The UK Digital Secretary along with the US Secretary of Commerce have released a joint statement on their commitment to develop a new "bilateral Technology Partnership". The statement indicates that there has been progress in the "US-UK adequacy discussions".
While the Danish Data Protection Authority (Danish DPA) has referred to the EO as a step towards an adequacy decision, it has maintained that such a decision can be arrived at only if the US restricts its collection of personal data to what is "strictly necessary" and "proportionate", and individuals in the EU who are subjected to such data collection are also afforded "effective legal remedies". Remarks by other relevant authorities in the EU, including the overarching European Data Protection Board (EDPB), are to be expected.
What does this development mean for organizations today?
The EO marks an important step towards arriving at an EU adequacy decision for data transfers between the EU and the US, yet it does not change anything today for ongoing trans-atlantic data transfers. In fact, the EC in its Q&A has reiterated that other tools prescribed under the GDPR for cross-border data transfers, particularly the recently updated EU Standard Contractual Clauses (SCCs), will remain relevant in ensuring such transfers are compliant with the GDPR until the formal adoption of a new adequacy decision.
To that extent, it is important to emphasize that organizations are not in a position to take a wait and see approach but must continue to ensure their data transfers to the US are compliant with GDPR. We have seen, however, that this development and the terms of the EO may prove relevant for organizations currently conducting ‘Data Transfer Impact Assessments’ concerning their data transfers to the US.
What are the next steps?
Based on the EO, the EC is now able to propose a draft for an adequacy decision for the US and to initiate the formal adoption procedure. It must be stressed, however, that such draft will be subject to the opinion of the EDPB and will ultimately have to be approved by representatives of the EU Member States and pass scrutiny of the European Parliament.
In line with the above procedure, it is being estimated that this process will take a number of months. As such, an adequacy decision for the US is expected by spring 2023 at the earliest, provided all steps in the procedure are passed successfully.
