Background and Impact
On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its landmark decision in the Schrems II case, which invalidated the Privacy Shield data transfer framework. In its judgment, the CJEU found that the European Commission’s adequacy decision legitimizing Privacy Shield was invalid because it did not sufficiently consider U.S. intelligence agencies’ authority to access EU personal data in the U.S. In particular, the CJEU found that U.S. intelligence agencies’ authority to access personal data in bulk violated EU law because (1) the legal frameworks for surveillance did not limit data collection to that which is strictly necessary, and (2) EU data subjects did not have actionable redress to challenge that data collection. After Schrems II, thousands of organizations no longer could rely on Privacy Shield to transfer EU personal data to the U.S.
The Schrems II decision also noted that EU standard contractual clauses (“SCCs”), another popular transfer mechanism, continue to be valid in principle but that data exporters and importers relying on SCCs are required to perform and document transfer impact assessments (“TIAs”) to confirm that the laws in recipient jurisdictions do not impede operation of the SCCs. In practice, the result of the Schrems II judgment was that the vast majority of organizations transferring EU personal data had to adopt SCCs and document TIAs internally to confirm the laws of recipient jurisdictions did not result in a violation of EU fundamental rights. This requirement has vexed organizations for the past two years, requiring costly assessments of often-opaque national security surveillance laws around the world.
One of the appeals of the new EO is that, to the extent that it results in a determination that U.S. laws are adequate to receive European transfers of data (along with a DPF certification or use of SCCs), TIAs for transfers to the U.S. will become easier, as the risk of unjustifiable data access will be considerably lower. In the interim, because the EO immediately reshapes the powers U.S. intelligence agencies have to access personal data, organizations should consider updating their TIAs to account for the new EO and its additional constraints on U.S. surveillance activities (and particularly once the EO’s redress mechanism is applied to EU data subjects, as described below).
What the EO Does
The EO does not replace existing U.S. surveillance laws. Rather, it adds a layer of protection for individuals by providing additional due process protections to the use of surveillance mechanisms by U.S. intelligence agencies. This includes the creation of a mechanism for individuals residing in certain non-U.S. jurisdictions to seek review of complaints regarding data collection by U.S. intelligence agencies.
Unlike previous legal authorizations and restrictions of surveillance authorities (e.g., under the U.S. Privacy Act, Executive Order 12333, and Presidential Policy Directive 28), the EO does not establish different protections for U.S. persons and non-U.S. persons, instead imposing due process protections on the data collection activities of U.S. surveillance agencies regardless of the subject of their surveillance. Furthermore, while the EO’s redress mechanism is not immediately applicable (i.e., the independent administrative court must first be established and the EU must be designated by the Attorney General as a “qualified state”), the principle-based safeguards it implements have immediate effect.
Below is a summary of the two types of protections arising under the EO: (1) principles-based safeguards and (2) the redress mechanism.
The EO mandates that signals intelligence activities be subject to additional safeguards. These include requiring that such activities be conducted only in pursuit of defined national security objectives and that the activities take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence. The EO further prescribes that such signals intelligence be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportional to that priority. These protections are intended to approximate protections under EU law, to further support the argument that U.S. intelligence agencies are subject to essentially equivalent protections.
Further, signals intelligence activities may only be conducted pursuant to specific objectives defined in the EO, such as understanding or assessing the capabilities, intentions, or activities of a foreign government, a foreign military, a faction of a foreign nation, a foreign-based political organization, or an entity acting on behalf of or controlled by any such entities; protecting against foreign military capabilities and activities; protecting against terrorism; protecting against espionage; and protecting against cybersecurity threats created or exploited by, or malicious cyber activities conducted by or on behalf of, a foreign government, foreign organization, or foreign person.
The EO also notably contains a list of purposes for which signals intelligence collection activities may not occur. These are:
- Suppressing or burdening criticism, dissent, or the free expression of ideas or political opinions by individuals or the press;
- Suppressing or restricting legitimate privacy interests;
- Suppressing or restricting a right to legal counsel; or
- Disadvantaging persons based on their ethnicity, race, gender, gender identity, sexual orientation, or religion.
The EO places additional restrictions on the collection of signals intelligence, but stops short of prohibiting bulk collection. Although it notes that “targeted collection shall be prioritized,” it acknowledges that bulk collection may still occur. In order to address concerns over bulk collection, the EO states that “[…] the Intelligence Community shall apply reasonable methods and technical measures in order to limit the data collected to only what is necessary to advance a validated intelligence priority, while minimizing the collection of non-pertinent information” and sets forth a set list of objectives, similar to the list above, for which bulk collection may be permitted.
In addition to the limitations the EO places on signals intelligence activities, the EO requires U.S. intelligence agencies to adhere to certain data-handling principles, including data minimization through the establishment of policies and procedures; limitations on dissemination of personal information, including for non-US residents; limitations on retention of non-US citizens’ personal data to align it with legal requirements for retention of US citizens’ personal data; and requirements for data security and access. Finally, the EO requires the heads of the U.S. intelligence agencies to update their policies and procedures to be consistent with the EO and mandates consultation and review by the Privacy and Civil Liberties Oversight Board (“PCLOB”).
The second key protection added by the EO is a two-layer redress mechanism to ensure that complaints against U.S. intelligence agencies’ activities can be reviewed, including by the intelligence community and an independent review court.
Under the first layer, EU individuals will be able to lodge a complaint with the newly created Civil Liberties Protection Officer (“CLPO”) in the Office of the Director of National Intelligence. The CLPO is required to conduct an independent initial investigation of qualifying complaints (i.e., complaints transmitted by the appropriate public authority concerning U.S. signals intelligence activities) received to determine whether the EO’s enhanced safeguards or other applicable U.S. laws were violated and, if so, to determine the appropriate remediation. The Director of National Intelligence (“Director”) has until December 6, 2022 (i.e., 60 days from the publication of the EO) to design the complaint intake process.
The CLPO is charged with investigating qualifying complaints in a manner that protects classified or otherwise privileged or protected information. For each qualifying complaint the CLPO is required to:
- Review information necessary to investigate the qualifying complaint;
- Identify whether there was a covered violation by:
- taking into account both relevant national security interests and applicable privacy protections;
- giving appropriate deference to any relevant determinations made by national security officials; and
- applying the law impartially.
- Determine the appropriate remediation for any covered violation;
- Provide a classified report on information indicating a violation of any authority subject to the oversight of the Foreign Intelligence Surveillance Court (“FISC”) to the Assistant Attorney General for National Security, who is required to report violations to the FISC in accordance with its rules of procedure;
- After the review is completed, inform the complainant, with certain limitations, regarding whether a violation was identified, that the complainant has the option to apply for a review of the determination by a newly constituted Data Protection Review Court (“DPRC”), and that a special advocate will be appointed in the event of a review by the DPRC;
- Maintain appropriate documentation of its review of the qualifying complaint and produce a classified decision explaining the basis for its factual findings, its determination with respect to whether a covered violation occurred, and its determination of the appropriate remediation as appropriate;
- Prepare a classified ex parte record of review; and
- Provide any necessary support to the DPRC.
The EO builds in a number of transparency mechanisms to this process. For example, the EO encourages the PCLOB to conduct an annual review of the processing of qualifying complaints, including providing the President, the Attorney General, the Director, the heads of elements of the Intelligence Community, the CLPO, and the congressional intelligence committees with a classified report detailing the results of its review; releasing to the public an unclassified version of the report; and publicly certifying whether the newly established redress mechanism is processing complaints consistent with the EO.
The Order also calls for the Attorney General to promulgate regulations establishing the DPRC, which have been released, whose purpose is to review determinations of the CLPO upon an application from an individual complainant or an element of the Intelligence Community. Judges on the DPRC will be appointed from outside the U.S. government, have relevant experience in the fields of data privacy and national security, review cases independently, and receive protections against removal. Special advocates appointed by the DPRC in each case will advocate on behalf of the complainant’s interest in the matter and inform the DPRC of the issues and relevant law.
In order to implement this redress mechanism (i.e., CLPO and the follow-on DPRC review), the EO authorizes the Attorney General to designate a jurisdiction (i.e., a country or regional economic integration organization) as a qualifying state for purposes of the redress mechanism. A “qualifying state” is one where:
- The laws of the country, the regional economic integration organization, or the regional economic integration organization’s member countries require appropriate safeguards in the conduct of signals intelligence activities for United States persons’ personal information that is transferred from the United States to the territory of the country or a member country of the regional economic integration organization;
- The country, the regional economic integration organization, or the regional economic integration organization’s member countries of the regional economic integration organization permit, or are anticipated to permit, the transfer of personal information for commercial purposes between the territory of that country or those member countries and the territory of the United States; and
- Such designation would advance the national interests of the United States.
The Attorney General’s office has the power, in consultation with other federal agencies, to revoke or amend a “qualifying state” designation if the criteria above are not met.
The provisions governing both the CLPO and the DPRC enhance existing statutory CLPO functions. Specifically, by establishing that the CLPO’s decision (and the decision of the DPRC if a complaint is reviewed) will be binding on U.S. intelligence agencies and provides protections to ensure the independence of the CLPO’s investigations and determinations, and the DPRC's review, the EO aims to counter the CJEU’s judgment that U.S. law does not grant EU data subjects actionable redress in the court systems and therefore “no right to an effective remedy.”
Path Forward for a New Data Transfer Mechanism
The EO is a significant advancement following the two-year negotiation between EU and U.S. officials to replace the invalidated Privacy Shield framework and clears the path for an updated data transfer mechanism to be adopted. The European Commission issued a Q/A document, published contemporaneously with the EO’s release, committing to beginning the process of adopting an adequacy determination that would allow organizations certified by the U.S. Department of Commerce under the new DPF to transfer personal data between the EU and U.S. This program replaces the invalidated Privacy Shield, and it is expected to take 6 months for the Commission to issue the required adequacy determination for the DPF. During the EU’s political review process, the European data protection authorities will have a chance to issue their opinion on the new adequacy decision, which would however not be binding for the European Commission (see IAPP’s outline of the process, here).
What to do now?
Organizations transferring personal data to the United States should now consider:
- Updating existing TIAs covering transfers of European personal data (including from the UK) to the U.S., as the EO will immediately impact the risk of access to such data by U.S. intelligence agencies making existing mechanisms in place, such as SCCs or Binding Corporate Rules, more effective.
- Monitor how European data protection authorities react and position themselves on the EO until an adequacy decision is adopted. In ongoing enforcement proceedings regarding data transfers to the U.S., data protection authorities would need to consider the new EO when assessing the lawfulness of the transfer.
- Monitor developments related to the Department of Commerce’s publication of new DPF principles, as well as the EC’s adoption of an adequacy decision covering the DPF and any impact that the EO may also have on the potential adequacy of the U.S. framework from a UK perspective.
- For organizations that have maintained their Privacy Shield certification, monitor for information about how existing certifications may be adapted for the DPF.
Authored by: Bret Cohen, Eduardo Ustaran, James Denvil, Henrik Hanssen, Julian Flamant, and Sophie Baum.