President Joe Biden signed an Executive Order yesterday, October 7, 2022, that establishes the one building block of the “EU‑U.S. Data Privacy Framework“ („EU‑U.S. DPF” or “Transatlantic Data Privacy Framework„, „TADPF”) represents. The second would be the recognition by the EU, and then certainly by the FDPIC, of the sufficient level of protection in the US within the scope of the TADPF.
The TADPF was announced in March 2022 has been issued, after almost two years of negotiations between the U.S. and the EU. It is intended to fill the gap left by the ECJ with Schrems II has torn.
The ECJ had ruled in the Schrems II judgment found fault with two points of U.S. law in particular:
- that state access to data must meet the fundamental rights requirements applicable in Europe. Legal basis lacking:
180 … In those circumstances, that provision … is not such as to ensure a level of protection equivalent to that afforded by the Charter – as interpreted by the case-law reproduced in paragraphs 175 and 176 of the present judgment, according to which a Legal basis for interference with fundamental rightsin order to comply with the principle of proportionality, must itself determine the extent to which the exercise of the right in question is restricted, provide for clear and precise rules on the scope and application of the measure in question, and establish minimum requirements – is equivalent in substance to the guaranteed level.
…
184 Consequently, it must be assumed that neither Section 702 of FISA nor E.O. 12333 in conjunction with PPD-28 satisfy the minimum requirements existing in Union law under the principle of proportionality, so that it cannot be assumed that the monitoring programs based on these provisions are limited to what is absolutely necessary. - and that effective legal remedies are lacking:
191 In this regard, the Commission … has stated: “Although private individuals, including data subject[s] in the [Union], have a range of legal remedies available to them if they have been subject to unlawful (electronic) surveillance for national security reasons, it is clear that at least some legal bases that U.S. intelligence agencies can use (e.g., [the] E.O. 12333) [are not covered by this].” So, in this 115th recital, it has with respect to E.O. 12333, the absence of any remedy. highlighted. According to the case law reproduced in para. 187 of the present judgment, such a gap in judicial protection against interference connected with the intelligence programs based on that Presidential Decree precludes the Commission’s finding in the DSS Decision that United States law guarantees a level of protection equivalent in substance to that guaranteed by Article 47 of the Charter.
192 Moreover, with respect to both the surveillance programs based on Section 702 of FISA and those based on E.O. 12333, it has been held in paras. 181 and 182 of the present judgment that neither PPD-28 nor E.O. 12333 confer on the persons concerned any rights that can be enforced in court against the U.S. authorities, so that those persons do not have an effective remedy at law.
Against this backdrop, the Executive Order, pursuant to the White House Fact Sheet essentially provides for the following:
- “Protective measures” in relation to U.S. signals intelligence activities (“signals intelligence” or “upstream surveillance”; i.e., with respect to systematic interception of data as it is transmitted, for example, on the basis of FISA 702 and EO 12333, both of which were the focus of the ECJ), such as a restriction to proportionate activity for certain national security purposes and in consideration of data protection, also for the benefit of non‑U.S. citizens;
- Specifications for handling personal data and expanded responsibilities of appropriate officials to ensure that appropriate action is taken when violations occur;
- a Update of policies and procedures of the U.S. Intelligence Community;
- independent legal protection for individuals from Qualifying States and for certain organizations in cases of alleged data breaches, through the Civil Liberties Protection Officer (CLPO) which can make binding decisions; then on a new Data Protection Review Court (DPRC), which may review decisions of the CLPO. The DPRC or DPRCs shall be composed independently and act without instructions from the government;
- the existing Privacy and Civil Liberties Oversight Board (PCLOB) shall periodically review Intelligence Community policies and procedures.
The full text of the Executive Order is available here.
The ball is now in the court of the EU Commission, which can now initiate the procedure for an adequacy decision. Within this framework, the European Data Protection Board (EDPB/EDSA) and the member states will express their views, and the European Parliament has a right of scrutiny. Further information can be found in the Questions & Answers of the EU Commission on the TADPF. In the meantime, companies continue to rely on the standard contractual clauses (unless exceptions or other “transfer tools” apply.
Unsurprisingly, the Reaction from noyb, the NGO of Max SchremsExecutive Order on US Surveillance unlikely to satisfy EU law”. This is justified by the fact that
- the monitoring measures are continued:
However, despite changing these words, there is no indication that US mass surveillance will change in practice. So-called “bulk surveillance” will continue under the new Executive Order (see Section 2 (c)(ii)) and any data sent to US providers will still end up in programs like PRISM or Upstream, despite of the CJEU declaring US surveillance laws and practices as not “proportionate” (under the European understanding of the word) twice.
- the DPRC is not a real court:
“Court” is not a real Court. The Executive Order is meant to also add redress. There will now be a two step procedure, with the first step being an officer under the Director of National Intelligence and a second step being a “Data Protection Review Court”. However, this will not be a “Court” in the normal legal meaning of Article 47 of the Charter or the US Constitution, but a body within the US government’s executive branch. The new system is an upgrades version of the previous “Ombudsperson” system, which was already rejected by the CJEU. It seems clear that this executive body would not, amount to “judicial redress” as required under the EU Charter.
- Affected persons are still not informed whether they were actually affected by surveillance:
As before the US government will neither confirm nor deny that the user was under surveillance and will only inform the user that there was either no violation or it was remedied (see Section 3(c)(E) of the EO). The user will not be know more. This also makes the option for an appeal useless, as there is simply nothing to appeal about, as long as the user got this rubber stamp answer.
noyb intends to analyze the legal situation further and then decide whether to target Schrems III.