Background
On 7 October 2022, U.S. President Biden signed an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” (the EO). The EO is intended to serve as basis for a new adequacy decision by the European Commission to serve as a legal mechanism for transfers of personal data from the EEA to recipients in the U.S. – see our blog post here for a summary of the EO and next steps for the new EU-U.S. Data Privacy Framework.
While many stakeholders, including the European Commission, have issued statements welcoming the changes to U.S. law introduced by the new EO, others have expressed concerns about whether the EO satisfies the surveillance law standards specified by the European Court of Justice (CJEU) in its Schrems II decision (judgment of 16 July 2020 (C-311/18). In its statement of 26 October 2022, the DPA of Baden-Wuerttemberg, as the first European DPA to officially comment on the new EO, shared concerns about the effectiveness of the EO’s safeguards to protect European fundamental rights.
Opinion of the DPA
In its statement, the Baden Wuerttemberg DPA expressly welcomed that the U.S. Government is taking action with regard to EU-U.S. data transfers. According to the DPA, a viable agreement is urgently needed, especially for European companies and for all those who rely on U.S.-based service providers. Given this, the DPA considers the changes provided under the EO as an important step in the right direction.
Not surprisingly, however, the DPA also raises concerns on whether the additional safeguards provided by the EO are sufficient to fully address the standards specified by the CJEU. The DPA particularly addresses the following key points:
-
In more general terms, the DPA is doubtful of the extent to which an executive order can be an effective legal instrument for implementing GDPR safeguards as it is has not been passed by the U.S. legislature. Also, the DPA cited concerns that compliance with an executive order is not directly enforceable by EU citizens, even though the EO creates a path to redress that did not previously exist for non-U.S. persons.
-
With regard to the new safeguards related to signals intelligence activities, the DPA further asked for a clarification on how the EO relates to other existing U.S. regulations such as the CLOUD Act. It also posed the thesis that the obligations for necessary and proportionate data collection by U.S. surveillance authorities introduced under the EO may not equal the European interpretation of the concept of proportionality.
-
With regard to the new judicial redress mechanism introduced by the EO, the DPA takes the view that EU citizens must comply with substantial requirements when filing a complaint with the newly created Civil Liberties Protection Officer (CLPO). The DPA fears that such hurdles could allow for a refusal of "undesirable" complaints – however, the DPA does not substantiate its reasons for this assumption. Further, the DPA criticises that the EO does not provide a mechanism through which complainants would be informed about whether they have been actually subject of intelligence activities by U.S. authorities, but rather they would receive only a notice from the CLPO upon the completion of its review as to whether or not a violation was identified.
-
With respect to the newly constituted Data Protection Review Court (DPRC), the DPA expressed concerns that the DPRC is established under the Attorney General's authority as part of the executive branch, which does not correspond to the concept of judicial independence of traditional courts established within the judicial branch.
In light of these points, the Baden Wuerttemberg DPA questions whether it is even possible for the European Commission to assess the level of data protection under the U.S. framework and to issue an adequacy decision based solely on the EO.
Relevance for adequacy decision procedure
It is not surprising that a DPA has rendered a critical opinion of the EO and U.S. privacy laws in general. However, this does not change the fact that the EO is a significant advancement following the two-year negotiation between EU and U.S. officials to replace the invalidated Privacy Shield framework with an updated data transfer mechanism. These developments are especially significant because the U.S. Government has not only agreed to update the transfer mechanism, but has also fundamentally changed the scope and impact of U.S. authorities for collecting signals intelligence.
During the procedure for a new adequacy decision, the European DPAs, represented by the European Data Protection Board (EDPB), will provide an opinion on the draft adequacy decision. There is a chance that the EDPB will raise similar concerns as those expressed by the Baden Wuerttemberg DPA, However, the opinion of the EDPB would not be binding on the European Commission.
Impact on organizations
In our previous blog post, we summarized several action items that organizations transferring personal data to the U.S. should consider in light of the EO (see list of recommended action items here).
Particularly when updating their documentation on existing transfer impact assessments (TIAs) for EU-U.S. data transfers and in ongoing enforcement proceedings, organizations should monitor whether and how their competent DPA has positioned itself on the EO. Often, it will be possible to address potential concerns surrounding EU-U.S. personal data transfers, especially in light of the added protections offered by the EO and the scope and nature of the transfers and implemented additional safeguards.
