EU‑U.S. DPF: Exe­cu­ti­ve Order signed; Ball at EU; noyb reviews Schrems III.

Pre­si­dent Joe Biden signed an Exe­cu­ti­ve Order yester­day, Octo­ber 7, 2022, that estab­lishes the one buil­ding block of the “EU‑U.S. Data Pri­va­cy Frame­work“ („EU‑U.S. DPF” or “Trans­at­lan­tic Data Pri­va­cy Frame­work„, „TADPF”) repres­ents. The second would be the reco­gni­ti­on by the EU, and then cer­tain­ly by the FDPIC, of the suf­fi­ci­ent level of pro­tec­tion in the US within the scope of the TADPF.

The TADPF was announ­ced in March 2022 has been issued, after almost two years of nego­tia­ti­ons bet­ween the U.S. and the EU. It is inten­ded to fill the gap left by the ECJ with Schrems II has torn.

The ECJ had ruled in the Schrems II judgment found fault with two points of U.S. law in particular:

  • that sta­te access to data must meet the fun­da­men­tal rights requi­re­ments appli­ca­ble in Euro­pe. Legal basis lack­ing:

    180 … In tho­se cir­cum­stances, that pro­vi­si­on … is not such as to ensu­re a level of pro­tec­tion equi­va­lent to that affor­ded by the Char­ter – as inter­pre­ted by the case-law repro­du­ced in para­graphs 175 and 176 of the pre­sent judgment, accor­ding to which a Legal basis for inter­fe­rence with fun­da­men­tal rightsin order to com­ply with the prin­ci­ple of pro­por­tio­na­li­ty, must its­elf deter­mi­ne the ext­ent to which the exer­cise of the right in que­sti­on is rest­ric­ted, pro­vi­de for clear and pre­cise rules on the scope and appli­ca­ti­on of the mea­su­re in que­sti­on, and estab­lish mini­mum requi­re­ments – is equi­va­lent in sub­stance to the gua­ran­teed level.

    184 Con­se­quent­ly, it must be assu­med that neither Sec­tion 702 of FISA nor E.O. 12333 in con­junc­tion with PPD-28 satis­fy the mini­mum requi­re­ments exi­sting in Uni­on law under the prin­ci­ple of pro­por­tio­na­li­ty, so that it can­not be assu­med that the moni­to­ring pro­grams based on the­se pro­vi­si­ons are limi­t­ed to what is abso­lut­e­ly necessary.

  • and that effec­ti­ve legal reme­dies are lack­ing:

    191 In this regard, the Com­mis­si­on … has sta­ted: “Alt­hough pri­va­te indi­vi­du­als, inclu­ding data subject[s] in the [Uni­on], have a ran­ge of legal reme­dies available to them if they have been sub­ject to unlawful (elec­tro­nic) sur­veil­lan­ce for natio­nal secu­ri­ty rea­sons, it is clear that at least some legal bases that U.S. intel­li­gence agen­ci­es can use (e.g., [the] E.O. 12333) [are not cover­ed by this].” So, in this 115th reci­tal, it has with respect to E.O. 12333, the absence of any reme­dy. high­ligh­ted. Accor­ding to the case law repro­du­ced in para. 187 of the pre­sent judgment, such a gap in judi­cial pro­tec­tion against inter­fe­rence con­nec­ted with the intel­li­gence pro­grams based on that Pre­si­den­ti­al Decree pre­clu­des the Commission’s fin­ding in the DSS Decis­i­on that United Sta­tes law gua­ran­tees a level of pro­tec­tion equi­va­lent in sub­stance to that gua­ran­teed by Artic­le 47 of the Charter.

    192 Moreo­ver, with respect to both the sur­veil­lan­ce pro­grams based on Sec­tion 702 of FISA and tho­se based on E.O. 12333, it has been held in paras. 181 and 182 of the pre­sent judgment that neither PPD-28 nor E.O. 12333 con­fer on the per­sons con­cer­ned any rights that can be enforced in court against the U.S. aut­ho­ri­ties, so that tho­se per­sons do not have an effec­ti­ve reme­dy at law.

Against this back­drop, the Exe­cu­ti­ve Order, pur­su­ant to the White Hou­se Fact Sheet essen­ti­al­ly pro­vi­des for the following:

  • Pro­tec­ti­ve mea­su­res” in rela­ti­on to U.S. signals intel­li­gence acti­vi­ties (“signals intel­li­gence” or “upstream sur­veil­lan­ce”; i.e., with respect to syste­ma­tic inter­cep­ti­on of data as it is trans­mit­ted, for exam­p­le, on the basis of FISA 702 and EO 12333, both of which were the focus of the ECJ), such as a rest­ric­tion to pro­por­tio­na­te acti­vi­ty for cer­tain natio­nal secu­ri­ty pur­po­ses and in con­side­ra­ti­on of data pro­tec­tion, also for the bene­fit of non‑U.S. citizens;
  • Spe­ci­fi­ca­ti­ons for hand­ling per­so­nal data and expan­ded respon­si­bi­li­ties of appro­pria­te offi­ci­als to ensu­re that appro­pria­te action is taken when vio­la­ti­ons occur;
  • a Update of poli­ci­es and pro­ce­du­res of the U.S. Intel­li­gence Community;
  • inde­pen­dent legal pro­tec­tion for indi­vi­du­als from Qua­li­fy­ing Sta­tes and for cer­tain orga­nizati­ons in cases of alle­ged data brea­ches, through the Civil Liber­ties Pro­tec­tion Offi­cer (CLPO) which can make bin­ding decis­i­ons; then on a new Data Pro­tec­tion Review Court (DPRC), which may review decis­i­ons of the CLPO. The DPRC or DPRCs shall be com­po­sed inde­pendent­ly and act wit­hout ins­truc­tions from the government;
  • the exi­sting Pri­va­cy and Civil Liber­ties Over­sight Board (PCLOB) shall peri­odi­cal­ly review Intel­li­gence Com­mu­ni­ty poli­ci­es and procedures.

The full text of the Exe­cu­ti­ve Order is available here.

The ball is now in the court of the EU Com­mis­si­on, which can now initia­te the pro­ce­du­re for an ade­qua­cy decis­i­on. Within this frame­work, the Euro­pean Data Pro­tec­tion Board (EDPB/EDSA) and the mem­ber sta­tes will express their views, and the Euro­pean Par­lia­ment has a right of scru­ti­ny. Fur­ther infor­ma­ti­on can be found in the Que­sti­ons & Ans­wers of the EU Com­mis­si­on on the TADPF. In the mean­ti­me, com­pa­nies con­ti­n­ue to rely on the stan­dard con­trac­tu­al clau­ses (unless excep­ti­ons or other “trans­fer tools” apply.

Unsur­pri­sin­gly, the Reac­tion from noyb, the NGO of Max SchremsExe­cu­ti­ve Order on US Sur­veil­lan­ce unli­kely to satis­fy EU law”. This is justi­fi­ed by the fact that

  • the moni­to­ring mea­su­res are continued:

    Howe­ver, despi­te chan­ging the­se words, the­re is no indi­ca­ti­on that US mass sur­veil­lan­ce will chan­ge in prac­ti­ce. So-cal­led “bulk sur­veil­lan­ce” will con­ti­n­ue under the new Exe­cu­ti­ve Order (see Sec­tion 2 (c)(ii)) and any data sent to US pro­vi­ders will still end up in pro­grams like PRISM or Upstream, despi­te of the CJEU decla­ring US sur­veil­lan­ce laws and prac­ti­ces as not “pro­por­tio­na­te” (under the Euro­pean under­stan­ding of the word) twice.

  • the DPRC is not a real court:

    Court” is not a real Court. The Exe­cu­ti­ve Order is meant to also add redress. The­re will now be a two step pro­ce­du­re, with the first step being an offi­cer under the Direc­tor of Natio­nal Intel­li­gence and a second step being a “Data Pro­tec­tion Review Court”. Howe­ver, this will not be a “Court” in the nor­mal legal mea­ning of Artic­le 47 of the Char­ter or the US Con­sti­tu­ti­on, but a body within the US government’s exe­cu­ti­ve branch. The new system is an upgrades ver­si­on of the pre­vious “Ombuds­per­son” system, which was alre­a­dy rejec­ted by the CJEU. It seems clear that this exe­cu­ti­ve body would not, amount to “judi­cial redress” as requi­red under the EU Charter.

  • Affec­ted per­sons are still not infor­med whe­ther they were actual­ly affec­ted by surveillance:

    As befo­re the US govern­ment will neither con­firm nor deny that the user was under sur­veil­lan­ce and will only inform the user that the­re was eit­her no vio­la­ti­on or it was reme­di­ed (see Sec­tion 3(c)(E) of the EO). The user will not be know more. This also makes the opti­on for an appeal use­l­ess, as the­re is sim­ply not­hing to appeal about, as long as the user got this rub­ber stamp answer.

noyb intends to ana­ly­ze the legal situa­ti­on fur­ther and then deci­de whe­ther to tar­get Schrems III.




Rela­ted articles