New Executive Order – impact on transfers of personal data from Europe to the US
Since the banning of Privacy Shield in July 2020 by the European Court of Justice’s (CJEU) decision (the “Schrems II Case”), most transatlantic transfers have been omitted to the tools for international transfers in Article 46 of GDPR and specifically the entering into the Standard Contractual Clauses. In May, President von der Leyen and President Biden announced that they had reached an agreement in principle on a new EU-U.S. Data Privacy Framework (EU-US DPF). On 7 October, President Biden signed what seems to be the first major official step in the EU-US DPF: an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”.
This new EO has been drafted with the Schrems II Case in mind and the obvious aim is to address the concerns regarding data protection raised by the CJEU: lower or no protection for EU residents’ personal data in the US.
By implementing the EO, its seems that we are getting closer to an adequacy decision by the European commission, as has been the case with the United Kingdom.
The EO establishes a couple of principles, very similar to the ones relating to processing of personal data in Article 5 of the GDPR: minimization, retention, data security and access, data quality and documentation. These principles shall be complied with by each of the elements included in the US intelligence agencies handling personal information collected through signals intelligence, and the principles shall in many cases explicitly be applied to non-US persons’ personal data the same way as to US persons.
With the implementation of the new EO, there will be further safeguards for US signals intelligence activities. These safeguards will limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security. Signals intelligence collection activities shall only be carried out to pursuit certain legitimate objectives defined in the new EO (such as understanding or assessing the capabilities, intentions or activities of a foreign government, military or organization and for protection against terrorism, espionage, cybersecurity threats and transnational criminal threats), regardless of nationality or country of residence.
In order to implement these new safeguards, the EO requires US intelligence agencies to review and update their policies and procedures. This work shall be reviewed by the Civil Liberties Protection Officer (CLPO) and the Privacy and Civil Liberties Oversight Board. It remains to be seen whether the EU and US definitions of necessary and proportionate will be the same and if this will be deemed sufficient by the CJEU.
Targeted collection shall be prioritized. The bulk collection of signals intelligence shall be based on a determination that the information cannot reasonably be obtained by targeted collection, and reasonable methods and technical measures in order to limit the data collected to what is necessary shall be applied. Also, bulk collection shall only be used in pursuit of specific objectives listed in the new EO.
A new multi-layer mechanism has been created for individuals to access “judicial redress” in cases where the individual wishes to raise a claim and eventually make an appeal. The first layer of review will be the CLPO. EU individuals will be able to lodge a complaint with the CLPO, which is responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights. Individuals will have the possibility to appeal the decision of the CLPO to the second layer, the Data Protection Review Court (DPRC). This court will be formed by non-US experts within data privacy and national security. The decision of the DPRC will be binding.
Individuals’ claims shall be submitted via an appropriate public authority in a qualifying state. The assessment of being a qualifying state or not is made by the US Attorney General and is based on its laws which must treat U.S.’ persons personal data adequately. A designation may be revoked by the Attorney General if the criteria is no longer met.
The European Commission has announced that it will prepare a draft adequacy decision under Article 45 of the GDPR based on the new EO and launch its adoption procedure, which might take up to six months. This draft will be heard by the European Data Protection Board whose opinion is not binding on the Commission. After that, the EU member states shall vote. The last and final step will be a formal adoption of an adequacy decision by the Commission. This process usually takes four to five months after the Commission has finalized its draft.
To summarize, this EO is only a first step towards a smoother transatlantic transfer of personal data. We are looking forward to an assessment of whether the definitions in the EO are aligned with those in the GDPR and if the safeguards will be deemed to be sufficient, within the process of the Commission’s adequacy decision. When an adequacy decision in place, it is not unlikely however that there eventually will be a trial in the CJEU.