by Matthias Horn// On 7th October US President Biden signed an Executive Order called “Enhancing Safeguards for United States Signals Intelligence Activities (E.O.)”. The E.O. is the first concrete legal step of the US Government to address the challenges on transatlantic data flows since the much debated Schrems II-Decision of the Court of Justice of the EU which invalided the EU-US Privacy Shield in 2020. The main reasoning of the Court was that U.S. surveillance laws do not have adequate data protection safeguards and do not provide an adequate legal remedy for non-U.S. individuals whose personal data has been unlawfully obtained. Without this data transfer mechanism under EU Law a major part of transatlantic data flow may be incompliant with the legal requirements of the GDPR. The EU and the US already politically agreed in March 2022 on a new data transfer mechanism, the EU-US Data Privacy Framework.
The E.O. now directs the steps the US committed political on into legal implementation addressing the findings of the CJEU. In particular, the Executive Order introduces obligations for all executive agencies involved in signals intelligence activities to conduct such activities only in pursuit of twelve defined “legitimate objectives” and only as necessary to advance such objectives. Additionally, the E.O. also determines four “prohibited objectives”.
All such activities shall take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence (!) and shall conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority. Agencies are instructed to limit “bulk” surveillance and to limit the dissemination and retention of personal data obtained through surveillance. These requirements have to been seen as responses to the CJEU’s critique that U.S. surveillance laws do not “indicate in what circumstances and under which conditions” personal data may be collected or provide “minimum safeguards” for the protection of personal data.
The E.O. also introduces new oversight rules respectively a new review and redress mechanisms requiring each agency to have an officer responsible for assessing compliance with the E.O. and other applicable U.S. law.
CLPO and DPRC
The first layer of oversight consists of a so-called Civil Liberties Protection Officer within the Office of the Director of National Intelligence (CLPO). To ensure a “legitimate” purpose, the E.O. tasks the Director of National Intelligence (“Director”) with ensuring collection activities through cooperation with the CLPO, who must verify that the collection advances a legitimate objection does not pursue any prohibited objectives and was established after “appropriate consideration” of the civil rights of any person involved.
Individuals may submit complaints to the CLPO, who is appointed to investigate and, if necessary, remediate complaints. Therefore, the E.O. requires the Director, in consultation with the Attorney General and various heads of other government agencies that use the collected information must establish a process for submitting a complaint. After such submission the CLPO shall review the complaint whether the corresponding collection violates the prohibited objectives and other provisions of the E.O. If the CLPO finds a violation, it is responsible for determining the appropriate remediation, providing a report to the Assistant Attorney General for National Security, and notifying the relevant executive agency.
Should the executive agency dispute the CLPO’s determination it can appeal to the newly introduced Data Protection Review Court (DPRC), the second layer of oversight. The DPRC can order an own remediation if it disagrees with the CLPO’s determination. In contrast to the Foreign Intelligence Surveillance Court, is not staffed with federal judges. The DPRC judges will be selected by the Attorney General from “legal practitioners with appropriate experience in the fields of data privacy and national security law” who are not U.S. government employees and, for the time of their tenure on the court, have no other government duties. The three-member panel of the Court additionally designates a Special Advocate to support the complainant’s rights throughout the process. The DOJ already established the DPRC by establishing accompanying regulations.
The different approach may be intended to address the CJEU’s findings that the oversight body under Privacy Shield, a State Department official known as the Privacy Shield Ombudsperson, was not sufficiently independent from the US government.
A sufficient step forward?
The E.O. definitely addresses the concerns expressed by the CJEU. The introduction of legitimate and prohibited surveillance objectives and the concept of proportionality is a concrete improvement introducing new safeguards to ensure legally justified and proportionate use of signal activities.
The obvious weakness of this approach lies in the nature of the legal instrument the US Government has chosen to address the issues of CJEU. The political persistence of an Executive Order maybe too weak to convince the CJEU, as it could easily be cancelled by the next US President.
The multi-layered mechanism to ensure legal protection of non-US citizens might be not enough to satisfy the concerns of the European Courts as remains to be seen to what extend the Data Protection Review Court (“DPRC”) can be considered as an independent judicial body.
Some European authorities already expressed corresponding concerns, highlighting that the legal form as an Executive Order is not sufficient and ensure sustainable legal protection for European citizens. It remains to be seen, how this abstract legal framework will be implemented in practice. Accordingly, some EU authorities already require an inclusion of conditions and reservations can be included in the adequacy decision.
Now the European Commission must determine whether the new framework provides an adequate level of protection. The Commission already published Q&A laying out the next steps ahead and will only adopt a final adequacy decision after it and several other EU institutions reviewed and approved the framework. As the European Commission already politically committed itself on this framework it is highly likely that the adequacy decision will take place soon. The last words will be spoken by the CJEU. The suspense remains.
Matthias Horn is Lawyer for Data Law at Axel Springer SE