On 7 October, President Biden signed an executive order that would limit the ability of American national security agencies to access people’s personal information as part of the transatlantic data sharing agreement with the European Union (EU).
This executive order follows lengthy negotiations between the United States (US) and EU after the Court of Justice of the European Union (CJEU) ruled in 2020 that the US did not sufficiently protect Europe’s data when it was transferred across the Atlantic. The judges’ concerns focused on how US surveillance programmes did not have proper measures for European citizens to address how the government collected their data.
What is new?
The Data Privacy Framework (DPF) includes three components:
- Commercial data protection principles to which US organizations may self-certify: the Privacy Shield will be updated to refer to the GDPR directly and US organizations must ensure they remain abreast of these developments.
- A presidential executive order: this requires US intelligence authorities to limit US signals intelligence activities to what is necessary and proportionate. The executive order imposes necessity and proportionality limits first by mandating them explicitly, then by explaining what that mandate means and finally by prescribing oversight mechanisms to verify intelligence agencies to follow the new rules. What this will mean in practice is also included.
- DOJ regulations: a two-step redress system will be introduced, which includes a new Data Protection Review Court. The first tier is an evaluation of a submitted claim by the Civil Liberties Protection Officer (CLPO) and the second tier is the Data Protection Review Court. This court is meant to process complaints concerning the legality of US signals intelligence activities transmitted from “qualifying states” for covered violations of US law.
Max Schrems’ response
The day the executive order was issued, Max Schrems and noyb.eu published their first reaction indicating that the executive order is unlikely to satisfy EU law. According to Schrems the executive order does not offer any solution and that there will be continuous “bulk surveillance” and a “court” that is not an actual court.
Bulk surveillance will continue by means of two types of ‘proportionality’. The words “necessity” and “proportionate” have been included but the EU and US did not agree that it will have the same legal meaning. In the end, CJEU’s definition will prevail therefore muting any EU decision again.
The “court” will not be a court but rather a body within the US government’s executive branch. The new system is an upgrade of the previous “Ombudsperson” system, which was rejected by the CJEU and it appears that it will not amount to “judicial redress” as required under the EU Charter.
noyb.eu has indicated that they are in the process of working on an in-depth analysis, which will be published soon. If the Commission’s decision is not in line with EU law and the relevant CJEU judgments, noyb.eu will likely bring another challenge before the CJEU.
What is next?
The European Commission will now launch its adequacy assessment. This process requires the Commission to put forward a draft adequacy determination, the EDPB to issue a nonbinding opinion, EU Member States to vote to approve the decision and the European Commission College of Commissioners to formally adopt it. The European Parliament may also weigh in with a non-binding resolution at any stage.
Previously, this process has taken four or five months once the Commission finalizes its draft. Should this trend be followed, it is expected that in March 2023 further clarification will be provided. Until then, however, organizations should not be under the impression that it relieves them from their obligation to conclude the Standard Contractual Clauses (SCC) including the performance of a Transfer Impact Assessment (TIA) by the 27th of December 2022.
Does your organization have any questions about transferring personal data internationally to the US? Contact us, the Experts in Data Privacy at email@example.com for assistance.