The new transatlantic privacy framework – will it protect our data better?
The background
On October 7th, Joe Biden signed the Executive Order establishing rules for national security surveillance of electronic communications and the creation of the Data Protection Review Court. A supervisor, the Civil Liberties Protection Officer (CLPO), also newly created, will review complaints first, taking over this task from the practically forceless ombudsman. This is intended to remedy the situation caused mainly by the difference between EU and US laws on surveillance for national security and by the difference of rights of US and non-US citizens in respect of this surveillance which inhibits free data floes due to European data protection legislation. Although there is political will on the EU side to recognise the Executive Order as providing adequate protection for EU citizens, the data protection community is sceptical.
The reader is probably aware of the two Schrems cases in which, following the Snowden revelations of “mass and indiscriminate” eavesdropping of electronic communications, the European Court of Justice invalidated first the Safe harbour, then the Privacy Shield, the two subsequent frameworks under which EU data controllers could transfer personal data to US commercial organisations subscribing to the privacy principles and practices of these two schemes.
With Biden in the White House, Europe hoped on the re vitalisation of the transatlantic co-operation. The Trans-Atlantic Trade and Technology Council was established – and it is evident that trade, but even more, technology co-operation is not possible without exchanging data freely. The war in Ukraine also underlined the need for the allies working closer together. This spring, a political agreement was announced on the principles of a new framework – and it took more than 6 months that the US take the first step. On the other hand, just a week after the President of the US signed the Executive Order, the General Attorney published the procedures for the new review court. The first reactions from the data protection profession and privacy NGOs (including American ones) are, however, not too encouraging.
What is expected?
The political will and importance means that an adequacy decision by the European Commission can be expected by spring 2023. Before the Commission decides, it has to consult the European Data Protection Board (and probably the European Data Protection Supervisor, also member of the Board) and a committee of experts representing each member state. The Commission decision will probably maintain the Privacy Shield mechanism but establish that there is no risk of violation of European data protection principles by US authorities. This will mean that transfers can go forward without additional safeguards and administrative burden (except of course the registration and compliance of the US recipient to the Privacy Shield and the usual data protection clauses obligatory for all processors, for which the European Commission issued standard clauses.
The first reactions, however, make it almost certain that the final word will be pronounced also in this case by the European Court. Depending on the procedure, the judgment may come after several years, but an injunction suspending the application of the framework is not excluded. On the other hand, even till the Commission decision or after the suspension, data controllers may take into account the Executive Order in assessing the risk of transfers to the US – however risky this route may be.
Besides the discussions still ongoing whether the judgment in the Schrems-ii case excludes a conclusion that in some cases there is no risk of authority access beyond what is legitimate also in Europe, there is another obstacle: the redress mechanism (as we will see, this is a central point) is only applicable to those who live in a “qualifying state” or “Qualifying regional integration”, the condition being, among others, that “member countries of the regional economic integration organization permit, or are anticipated to permit, the transfer of personal information for commercial purposes between the territory of that country or those member countries and the territory of the United States”. Once the adequacy decision of the Commission is in force, the EU will qualify but till then not necessarily.
It is interesting to note the reason why the EU is taken into account as a regional integration. Namely, there is another condition: that the surveillance laws and practice are in line with the US standards – assumed to be in line with European requirements. For some EU member states, this is not the case in practice – the big difference in favour of these states is, that the national data protection authorities and courts, and as a last instance, the European Court can prohibit unlawful practices and provide remedies for data subjects.
Can the new framework stand court scrutiny?
The role of the new court is the main sticking point: at a closer reading, the new US framework does not measure up to the requirements formulated by the EU court for redress. This is the result of the first analysis by the NOYB, the NGO of Maximilian Schrems, the American Civil Liberties Union as well as of the Trans Atlantic Consumer Dialogue, among others.
They point to several aspects where the conformity to European standards is only formal. One can, of course, hear also complaints that US citizens also do not have sufficient rights in the face of state surveillance and this is exacerbated by the difference between the treatment of US and foreign citizens which the new framework tries to remedy but does not equate them.
The main point is that the new Data Protection Review Court has some shortcomings. According to the case law of the EU court, the main conditions of recognising a court are: created by law, independence, binding nature of its judgments and a “contradictory procedure”, called “inter partes” in legal jargon. The new DPRC will not be part of the US judicial systems but be set up within the organisation of the Attorney General. Some rules of selecting and protecting its members and the conflict of interest rules attempt to ensure the independence but at the same time limit the attraction of membership. The procedure should be regulated by the Attorney general but the rules published do not give too much detail.
What we can see, however, does not give much reason for optimism: the complainant has no access to the court but is represented by a Special Advocate. Apparently also the appeal (“application for review”) against the refusal of the complaint against the decision of the supervisor, the CLPO, has to be submitted by an “appropriate authority in the qualifying country” from where the complaint comes. After this, only the Special Advocate can put questions to the complainant. The Special Advocate will be subject to restrictions on communications with the complainant to preserve US confidential information: these questions will first be scrutinised by the court whether they do not contain any US state secrets. Thus, concrete questions will be probably prohibited.
Of course if the decision of the CLPO is unfavourable to the institution who conducted the surveillance, this institution or its employees can also file an appeal – in this case the court will not provide to the subject of the surveillance any information relating to the existence, review, or outcome of this application for review. More disturbing, the judgment of the court will not be communicated to the complaining foreign citizen, the information will be limited to the fact whether the surveillance was lawful or not and if unlawful, that the infringement was remedied. Thus, probably no compensation can be expected, just the erasure of the unlawfully collected data and the discontinuation of the surveillance.
Other criticisms
The newly created court is not part of the US court system and although some measures are foreseen to protect its independence, it is still within the US administration. There can be doubts concerning its permanence as well.
Although redress is a very important point, there are other aspects to be evaluated. The first main objection to the whole new framework was that it is introduced by an Executive Order by the president and not by law. On first sight, this is not blocking: on one hand, also laws can be changed, and the adequacy decision by the European Commission will contain a “sunset clause” – without establishing after a review that the system is still compliant to EU rules, the decision will lose effect after a number of years (this is a relatively new feature of the adequacy decisions, in the case of the United Kingdom this period is the legally endorsed maximum, four years). Also, the amendment of the adequacy decision system after the first Schrems judgment and the new GDPR contain a possibility that the Commission withdraw the decision if on an indication (for example by a national data protection authority) it finds that the US does not fulfil the requirements any more.
There is, however, a hidden problem: executive decisions are not necessarily public and a public executive decision can be modified – its effect limited, for example – by a non-public executive decision or even a Presidential Policy Directive – this latter is most frequent in security issues, this was actually the form in which the Obama administration implemented the Privacy Shield, concretely PPD 28.
The supervision and redress must of course judge the lawfulness of surveillance based on some rules and principles. The Court of Justice (based on the Data Protection Directive and its successor, the GDPR) formulated these as the principles of necessity and proportionality. These are indeed enshrined in the Executive Order and this is an important improvement compared with PPD 28 creating the Privacy Shield. Data minimisation, retention limitation and the accuracy requirement also found their way into the order. The critics, however, are quick to highlight that these, in particular proportionality, are not defined but reference is made to general US law. General opinion is that in particular proportionality is not understood the same way in the US and in Europe.
Another important difference is that only bulk surveillance is addressed, however, targeting is understood very widely. According to Max Schrems, the judges addressed this question in the hearing of the case of the Privacy Shield. The example cited was that when surveillance is limited for example only to communications toward the Middle East, US authorities consider this already as targeted while it can address many millions of people and billions of transactions. This difference did not find its way into the judgment as there were more serious deficits in the system which in themselves justified the invalidation of the adequacy decision of the Commission.
Is there hope?
The main surveillance instrument, Foreign Intelligence Surveillance Act (FISA) is due to be reauthorized next year, and if some of its clauses will be brought closer to European rules, some of the problems mentioned may be remedied.
There are also some ways to mitigate the risks, like the approach SWIFT took: European transaction data are under the aegis of the European company, stored in Europe and the company structure is set up in a way that the US shareholder cannot instruct the European company. It has to be mentioned, however, that the other risk factor, the C.L.O.U.D. act, enabling US authorities to access data stored in Europe by US companies, came into being as a response to Microsoft challenging a data access order based on the data being in Europe and Google doing the same but stating only that they don’t know whether the data are in the US or outside. The first important surveillance tool, the P.A.T.R.I.O.T. act also established the extraterritorial effect of national security actions, including also companies who have business relationship with the US (which enabled suing foreign companies in US courts also in other domains) or even foreign mother companies with American subsidiaries.
If there will be a Commission adequacy decision, this will give some breathing space to companies, but no one should assume this decision will hold forever, unless there will be further changes in the US legal framework surrounding surveillance of foreigners.
László S. Szabó
This article reflects the views of the author, which do not necessarily reflect those of the Portfolio editorial team.
Cover photo: Getty Images
