Is it light at the end of the (transfer) tunnel? US “Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities” (and other matters)

First, President Biden’s Executive Order, aimed at addressing the issues raised in the infamous Schrems II case, and acknowledged as the first step in the process for the US to (re)obtain a partial adequacy decision from the EU in relation to Safe Harbour > Privacy Shield > Privacy Shield Mk ii. Closely followed by the UK-US Joint Statement: New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy setting out the UK’s plans to find the US an adequate country for data transfers, with the US reciprocating in working towards designating the UK as a qualifying state under the redress mechanism in the Executive Order.

1. Executive Order

The Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities (Executive Order) is the culmination of months, of negotiation between the US and the European Commission. It is the substance behind the Trans-Atlantic Data Privacy Framework announced back in March 2022. (For more detail see our articles here and here).

This Executive Order is seen as a considered attempt at tackling the issues raised in the Schrems II case that invalidated the Privacy Shield as a legitimate way to transfer data between the EU and the US, namely (and in summary) (i) the lack of limits on governmental surveillance activities and (ii) a lack of redress for EU citizens. (For more detail on the Schrems II decision see our article here).

Limits on governmental surveillance activities

For the first time we see language akin to the GDPR and the CJEU in the Schrems II judgment (in particular at paragraph 184) replicated in the US text (see Section 2(a)(ii)(A) and (B)). The Executive Order requires the surveillance activities to be “necessary to advance a validated intelligence priority” and “proportionate to the validated intelligence priority for which they have been authorized” and continues in Section 2(a)(iii) stating “signals intelligence activities shall be subjected to rigorous oversight in order to ensure that they comport with the principles identified above”.

There then follows a list of legitimate objectives and prohibited objectives for the signals intelligence activities, as well as details of how the data can be collected, used and shared, how long it may be retained etc. and the mechanisms for oversight.

This is more than just semantics at play. Whether there is actually a meeting of minds or whether the geo-political situation and economic realities of the present day have influenced this shift, it is clear a great deal of thought and negotiation has gone into producing this text and making it as watertight as possible in the hope that it will give businesses certainty and will be able to withstand the (almost) inevitable challenge by privacy activists.

Redress mechanism

Section 3 of the Executive Order establishes the “Signals Intelligence Redress Mechanism”. This replaces the previous Privacy Shield Ombudsman and is aimed at satisfying the second issue in Schrems II, i.e. the lack of redress for EU citizens.

In particular, this section establishes a redress mechanism to review qualifying complaints transmitted by the appropriate public authority in a “qualifying state” concerning United States signals intelligence activities for any covered violation of United States law and, if necessary, appropriate remediation. A qualifying state will be determined by the Attorney General and the “country or regional economic integration organization” must meet certain requirements set out in Section 3(f)(i) of the Executive Order to be so designated. In particular, (A) the qualifying state must have appropriate safeguards relating to the conduct of signals intelligence activities concerning personal data of US citizens that has been transferred from the US to that territory, (B) the territory permits or is expected/anticipated to permit the transfer of personal information for commercial purposes between the US and the territory, and (C) the designation would “advance the national interests of the United States”.

There will be a two-tier process of redress for complaints concerning US intelligence activities from authorities in a “qualifying state”. Tier-one of the redress mechanism is an investigation by the Director of National Intelligence’s Civil Liberties Protection Officer, and should a violation be found an “appropriate remediation” must be determined.

If an individual is not happy with the decision, they may apply for a review of the tier-one decision to the Data Protection Review Court (DPRC). Section 3(d)(i) of the Executive Order authorises the Attorney General to establish the DPRC as the second level of the two-level redress mechanism. On 7 October 2022, the Attorney General signed a new regulation to establish the DPRC, with further details to follow, including “the process for individuals to submit applications for independent review by the DPRC”. It will be important to keep an eye on the US Department of Justice’s announcements to fully understand this process and any implications it may have.

The DPRC will make its own independent determination and should it disagree with the tier-one decision the DPRC may issue remedial measures, which bind the intelligence community (see Section 3(d)(ii) of the Executive Order). This is important as it is aimed at addressing the shortfalls identified in the CJEU’s judgment in Schrems II. Other relevant measures are Section 3(d)(iv) also ensuring that the DPRC will be independent and free from interference by the Attorney General, as well as a nod to transparency with a review every 5 years to see if the relevant information has been declassified and can be released (see Section 3(d)(v)(B) and (C)).

What happens next?

This Executive Order will kick start the EU Commission’s adequacy process to recognise this framework as “essentially equivalent” to the protections provided under the GDPR and to allow the re-birth of Privacy Shield as a transfer mechanism for EU-US data transfers. We know from the UK’s recent experience there are many hurdles yet to overcome but it is possible for the EU Commission to reach an adequacy decision in around 6 months - and this fits with the widely reported date of March 2023.

Some commentators believe there will be a clause in any such adequacy decision that stipulates the legal protections set out in the Executive Order must be maintained, similar to the approach the EU Commission took with the UK, and this is seen as a way to ensure if any future president were to overturn the Executive Order that the protections it affords would be maintained.

Schrems’ and other privacy activists’ initial views

While most of the rhetoric around these announcements has been positive, if not glowing, Max Schrems and noyb unsurprisingly have a different view. In the first reaction post on noyb’s website they state “Biden's new Executive Order seems to fail on both requirements [of the CJEU in Schrems II]. There is continuous "bulk surveillance" and a "court" that is not an actual court.”

They continue "The EU and the US now agree on the use of the word 'proportionate' but seem to disagree on the meaning of it. In the end, the CJEU's definition will prevail - likely killing any EU decision again. The European Commission is turning a blind eye on US law again and allowing the continued surveillance of Europeans.”

noyb is not the only organisation underwhelmed by the Executive Order, the American Civil Liberties Union (ACLU) stated “Although the executive order is a step in the right direction, it does not meet basic legal requirements in the EU, leaving EU-U.S. data transfers in jeopardy going forward” and the Trans Atlantic Consumer Dialogue (TACD) said “In the commercial space the protections have been too weak and failed to ensure the essentially equivalent level of protection required under EU law. What is required is a sustainable arrangement that guarantees privacy protection and legal certainty, and self-regulatory solutions cannot substitute a regulatory system”.

As for the DPRC it fairs no better in the mind of Schrems. As the DPRC is set up in the executive branch of the US government rather than in the judiciary, Schrems believes that it “would not amount to “judicial redress” as required under the EU Charter”.

It is worth understanding the reasoning behind this approach to the DPRC and it comes down to a difference in jurisprudence between the common law US legal system and the civil law legal system in most of the EU. To have standing to sue in a US court there needs to be proof of “injury in fact”. This would be difficult to prove given surveillance is often covert. By situating the DPRC in the executive branch this requirement is not necessary and provides the individual with a route to redress – the outcome envisaged in Schrems II. The independence of the DPRC, the express prohibition of interference by the Attorney General, the binding of intelligence agencies to comply with the DPRC’s determination and remediation and the possibility of increased transparency are clearly intended to address potential concerns that the court is situated in the executive branch.

If there is a challenge it will be interesting to see whether the technical legal argument of the DPRC not being a court within the “legal meaning of Article 47 of the Charter or the US Constitution” as argued by Max Schrems, or a more pragmatic outcomes based argument on achieving redress for the individual through this mechanism, will prevail. Again, we will need to wait and see what happens…we will be watching this space!

2. UK/US Joint Statement

Back on this side of the pond, the UK/US joint statement is in two parts, dealing with the UK/US Technology Partnership (Partnership) as well as cross-border data flows. One of the shared priorities under the Partnership is “bilateral and globally-interoperable frameworks for cross-border data flows, and support for data innovation, including through the launch of prize challenges for privacy-enhancing technologies”, and one of the three areas of focus for the year ahead for the new “senior-level Comprehensive Dialogue on Technology and Data” will be data.

As for data flows the headline is there is “significant progress on UK-US data adequacy discussions”. Building on the December 2021 UK-US joint statement on deepening the data partnership, negotiations have continued and on 7 October 2022 the UK welcomed the release of the Executive Order, stating it “intends to work expediently to conclude its assessment, with the aim of issuing an adequacy decision that will restore a stable and reliable mechanism for UK-US data flows”. As part of this arrangement, and in the spirit of reciprocity, the US plans to designate the UK as a qualifying state under the Executive Order, providing that “the conditions for such designation can be satisfied”. All being well this means UK individuals would be able to access the redress mechanism established under the Executive Order if they submit qualifying complaints.

While we don’t have a timeline for the UK’s adequacy assessment, it is clear this is a priority and the Department of Digital, Culture, Media and Sport (DCMS) and the Information Commissioner’s Office (ICO) will continue to work through the UK adequacy manual to reach their conclusion “expediently”. While the UK’s announcement came after the Executive Order it is widely expected the findings of adequacy will be in reverse order with the UK decision pre-dating the EU Commission’s decision.

What does this mean and what should I do?

• Certainty re EU and UK to US transfers

In the short term, both these announcements should provide greater legal certainty for businesses currently transferring data from the EEA or UK to the US, using Article 46 GDPR or UK GDPR transfer mechanisms, e.g. standard contractual clauses (SCCs) or binding corporate rules (BCRs). Finally, we have the Executive Order and the start of an adequacy process for ex-EEA transfers to the US and a clear statement from the UK government that a UK adequacy decision is on its way for ex-UK transfers to the US.

• Update current TIAs

With this in mind it would be prudent to revisit old Transfer Impact Assessments (TIAs) for data transfers to the US in order to incorporate the Executive Order wording. It is clear the US has taken significant and material steps to meet the CJEU’s concerns in Schrems II over the proportionality of surveillance laws and redress for EU and (hopefully with a determination of the UK as a qualifying state) UK citizens.

Longer term this is good news for global businesses as any findings of adequacy (even partial adequacy as long as Privacy Shield is used) for the US will simplify data transfers both from the EEA and the UK to the US. Once the adequacy decisions have been made there will no longer be a need for transfer mechanisms such as the SCCs or to carry out a TIA concerning the laws of the US and whether supplementary measures would be required if Privacy Shield is being used as the transfer mechanism.

• EU SCC Deadline

One note of caution is the 27 December 2022 deadline for replacing the old SCCs for ex-EEA transfers. Many organisations are well into their repapering projects and while the EU’s adequacy decision for the US may feel within touching distance it looks as though it will come several months after this deadline has passed. There is a discussion to be had about what should be done in these circumstances. Should you carry on as the adequacy decision relating to Privacy Shield might be Q1 2023, it might be Q2 or 3 or 4 or theoretically it might not come at all? Are all your vendors signed up to Privacy Shield (see below under “US data companies”)? The answer will depend on many factors such as volume of data and sensitivity of data transferred, compliance and risk appetite within your organisation etc. and it may be that many organisations take the prudent choice to carry on their repapering exercises. If you’d like to discuss this with us, please do get in touch with your usual LS contact.

For ex-UK transfers to the US, it looks like the UK, with its desire to “expediently” conclude its adequacy assessment of the US, will not need to concern itself with the long stop date 21 March 2024 for moving from the old EU SCCs to the International data transfer agreement (IDTA) or the International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (UK Addendum) where Privacy Shield might apply in the future. Rather than move to the IDTA or the UK Addendum we might see a return to Privacy Shield as the primary UK>US transfer mechanism. Of course, should the UK find the US adequate more widely than just limited to Privacy Shield, a UK finding of adequacy for the US will mean no transfer mechanism will be required for such transfers.

• What about Switzerland?

With the direction of travel for ex-EEA and ex-UK data transfers clear, it leaves the question about ex-Swiss transfers. Article 16 of the new Swiss Federal Data Protection Act (FDPA) deals with international data transfers and this legislation is due to come into force on 1 September 2023. The Swiss government has prepared its own proposed list of adequate countries which makes no mention of the US. However, as Switzerland previously recognised the Privacy Shield framework many expect this list will be revised to include the US, perhaps once the EU adequacy decision has been published, but certainly before it comes into force in 2023. This is presumably dependant also on Switzerland being recognised as a qualifying state under the Executive Order.

• What about US data companies?

What is the status of your vendors’ Privacy Shield certification? While many companies maintained their certification in the hope that this day might come, as well as to demonstrate their continued good data protection practices, some may have let it lapse. Now would be a good time to be asking this question of your vendors and ensuring any who have let their certification lapse revalidate it.

Current regulatory issues

And finally, what about regulatory issues? Think the Irish Data Protection Commission’s draft order to Facebook to stop data transfers to the US (see our article here), or the various Google Analytics decisions (see our article here). While some think big tech companies will be breathing a sigh of relief, others think there are more showdowns yet to come! Will pragmatism, the desire to find a way to make international data flows work and pure economics win the day, given the significant and material steps taken by the US to address the CJEU’s concerns in Schrems II? Well as with all good questions only time will tell…