After announcing a political agreement on 25 March 2022, the US government has now announced more details on how it intends to put mass surveillance by intelligence agencies on a rule-of-law footing. In this connection, President Biden signed an Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities, effective immediately.
The US Executive Order addresses the criticism of the Court of Justice of the European Union (CJEU) in its Schrems II ruling of 16 July 2020 (C-311/18), which declared the previous Privacy Shield Framework invalid because mass surveillance by US intelligence agencies did not meet the minimum standards of the rule of law. The new Executive Order is intended to comply with these minimum standards of the rule of law and facilitate a new adequacy decision by the EU Commission, which was announced for Privacy Shield-certified companies.
New legal protection mechanism for EU citizens
A major point of criticism by the CJEU was the ombudsperson mechanism of the Privacy Shield Framework. This allowed EU citizens to complain about surveillance by US intelligence agencies to their local data protection authorities who were obliged to forward these complaints to an ombudsperson at the US State Department. The ombudsperson was then required to process the complaint and remedy any violations.
In Schrems II, the CJEU held that this was not sufficient legal protection under Article 47 of the Charter of Fundamental Rights since the ombudsperson, as an administrative employee, did not have genuine independence like a court and did not have any rights of intervention to remedy violations.
Instead, the new Executive Order creates a two-layer redress mechanism to review violations of the Executive Order and other US laws by US intelligence agencies:
The first layer is similar to the previous ombudsperson mechanism. Like the previous ombudsperson mechanism, citizens must file complaints with data protection authorities of their home state, which must forward it to the US government. Instead of an ombudsperson at the US State Department, the Privacy Officer or Officers of the US Intelligence Coordination Centre will process the complaints. Once a complaint has been processed, the Privacy Officer will inform the respective citizen that a decision has been made. The content of the decision, on the other hand, will remain confidential.
Even though they do not know the outcome, citizens can appeal the decision with a quasi-judicial Data Protection Review Court. Although the Data Protection Review Court is not part of the judiciary, it is intended to be as independent as possible within the executive. It must be composed of persons who are not members of the US government (e.g. former judges). Since the citizens launching the appeals are not allowed to participate in the proceedings, a lawyer appointed by the Data Protection Review Court will represent them. The Data Protection Review Court must then comprehensively review the decision by the Privacy Officer. It can additionally obtain information from all US intelligence agencies. Finally, the review court will inform the respective citizens that a decision has been taken, the contents of which will also remain confidential.
This legal protection mechanism is open to all citizens of those states that the US Department of Justice has designated on the basis of criteria specified in the Executive Order. The US Department of Justice is not only required to consider whether these states require rule-of-law safeguards for data transferred to the US, but also whether these states grant such rights to their intelligence agencies. This "equality of arms" goes back to the US government's criticism that EU states also provide for comparably far-reaching surveillance measures. The Judicial Redress Act announced under the previous Privacy Shield Framework already provided for such a bilateral mechanism for its limited right of action even though this mechanism did not play a major role in practice.
The new Data Protection Review Court is a convenient solution to meet the formal requirements laid down by the CJEU concerning sufficient legal protection. It remains questionable whether a quasi-judicial body instead of a "real" court will be sufficient for the CJEU. What is more, the respective citizens cannot influence the secret procedure, which raises additional questions about rule of law. For example, the principle of fair trial provided for by Art. 6 of the European Convention on Human Rights requires a public hearing and the right to be heard in court proceedings.
Scope of mass surveillance limited "on paper" at least
The Executive Order also contains requirements on the scope of surveillance by US intelligence agencies by defining permissible purposes. Although broadly worded, these requirements largely correspond in terms of their content to the previous "Presidential Policy Directive – Signals Intelligence Activities"(PPD-28) from 2014.
Specifically, the US government has specified individual requirements and adapted them to European legal language. In particular, the European Commission emphasises in this regard that surveillance by intelligence agencies should be "necessary" and "proportionate". Since PPD-28 still refers to restricting surveillance to the necessary extent ("as tailored as feasible"), it remains to be seen whether US intelligence agencies in practice will meet an approximation of the proportionality test in the European sense.
There have, by contrast, not been any changes to FISA Sec. 702, which was also criticised by the CJEU. (Amending FISA would have required a resolution by the frequently divided US Congress).
Insignificant updates to the requirements for Privacy Shield-certified companies
The Privacy Shield certification is to remain largely unchanged.
For example, the name "Privacy Shield" is to be retained. The existing certifications will also continue to apply.
Final adequacy decision to come down in six months
The US State Department will summarise the content of the Executive Order and the updated Privacy Shield Principles in a letter to the EU Commission.
The EU Commission will then publish a draft adequacy decision for Privacy Shield-certified companies. In the case of the previous Privacy Shield Framework, this took place about one month after the US government announced the changes.
Subsequently, the European Data Protection Board will issue an opinion on this adequacy decision, but will not be able to reject it (Art. 70 (2) (s) GDPR, EC 105 p. 3 GDPR). In addition, member states can give their opinion in what is referred to as the "comitology procedure" (Art. 45 (3) sentence 4 GDPR). Finally, the Commission will publish the adequacy decision in the Official Journal of the European Union (Art. 45 (8) GDPR).
Overall, the procedure for the previous Privacy Shield took about half a year. (The draft of the adequacy decision was completed on 29 February 2016; publication in the Official Journal took place on 1 August 2016).
Conclusion: future of transatlantic data flows still uncertain
After Safe Harbour and Privacy Shield, the EU and the USA are now for the third time trying to find a compromise between the high standard of protection of European data protection law and US mass surveillance that continues to be desired on the political front.
Therefore, the fate of the EU-US Data Privacy Framework will once again be decided by the CJEU. Civil rights organisations, such as NOYB led by Max Schrems, have already criticised the EU-US Data Privacy Framework and announced that they will file complaints. However, it is unclear whether it will actually be possible to bring the new adequacy decision before the CJEU in a few months as NOYB has announced. Even with the previous Privacy Shield Framework, the first complaint was only filed six weeks after publication of the adequacy decision and it was overturned after almost four years on the basis of another complaint. Safe Harbour was actually in force for 15 years.
Until the final adequacy decision, data controllers must continue to secure data transfers with other transfer mechanisms, in particular standard contractual clauses. Even after this time, controllers should continue to enter into standard contractual clauses with US companies as a precautionary measure in case it is repealed. In this way, data controllers will have fewer concerns about the appearance of a "Schrems III" decision.