Doubts about U.S. President Biden’s executive order on data protection

Is a new data protection agreement with the USA on the way? If so, does it stay?

After the EU and the U.S. announced an “agreement in principle” on new rules for transatlantic data sharing on March 25, 2022, U.S. President Joe Biden signed the Executive Order establishing the “EU-U.S. Data Privacy Framework” (EU-U.S. DPF for short) announced therein on October 07, 2022. This legal act could form the basis for a new adequacy decision by the EU Commission, thus restoring the long-awaited legal certainty for the transfer of personal data between Europe and the US. But the reactions to this have been mixed. While U.S. industry associations, government agencies, and the EU Commission welcome the announced measures, European data privacy advocates have significant doubts that the Executive Order is sufficient to address the discrepancies identified in the ECJ’s Schrems II ruling between the powers of U.S. security agencies and the EU Charter of Fundamental Rights (CFR). Who is right now?

The most important thing in advance:

• U.S. President Joe Biden signed an executive order on Oct. 7, 2022, to comply with EU data privacy requirements.
• There are doubts as to whether the adopted measures meet the requirements of EU law and the ECJ.
• The Executive Order could provide the basis for a new adequacy decision, which could be adopted as early as March 2023.
• The issuance of the Executive Order does not change the current legal situation. For the time being, companies should conclude standard contractual clauses and prepare transfer impact assessments to safeguard data transfers to the USA.

Essential contents

The main criticisms of the U.S. legal situation cited by the ECJ in its Schrems II ruling were, in particular, that the surveillance measures carried out by the U.S. were not proportionate within the meaning of Article 52 CFR and that, contrary to Article 47 CFR, no judicial remedy was available to those affected. The Executive Order explicitly addresses this criticism.

1. introduction of a proportionality test

Sec. 2 of the Executive Order provides that intelligence activities may only be used to achieve predefined legitimate objectives. Furthermore, in the future, surveillance measures must be “necessary” and “proportionate” in terms of the intrusion into the privacy and freedoms of those affected in order to achieve the legitimate objectives – regardless of whether they are U.S. citizens or not.

Thus, the Executive Order approximates, at least in its wording, the requirements for fundamental rights interferences in Art. 52 CFR. What is more decisive, however, is how the concepts of “necessity” and “proportionality” are interpreted in the respective legal system. It is already clear from the Executive Order itself that the thresholds of necessity and proportionality are noticeably lower according to American understanding. While the Executive Order explicitly continues to allow for bulk surveillance measures (“bulk surveillance”), such as Upstream and PRISM (Sec. 2. (c) (ii)), the ECJ again declared the German regulations on data retention to be contrary to European law in its judgment of 20.09.22 (C-793/19 and C-794/19). It therefore seems questionable whether the U.S. understanding of proportionality will stand up to scrutiny by the ECJ.

2. two-stage appeal & Data Protection Review Court

The Executive Order provides for a two-step appeal process under which EU data subjects can also file complaints against surveillance measures. In the first stage, these are reviewed by the Civil Liberties Protection Officer (CLPO), who reports to the Director of National Intelligence and thus to a U.S. agency. The latter will decide in a secret procedure whether an infringement has occurred. The data subject is merely informed that either no violation occurred or that remedial action has been ordered in a legally binding manner (“the review either did not identify any covered violations or the [CLPO] issued a determination requiring appropriate remediation“).

Decisions of the CLPO may be reviewed by the newly formed Data Protection Review Court (DPRC) at the request of the data subject or a supervisory authority in the second stage. Members of this panel must be composed of knowledgeable legal practitioners who are not employed by a U.S. government agency at the time of their appointment. As in the proceedings before the CLPO, decisions are made in secret and affected parties receive only general information about the outcome of the proceedings.

It is true that the decision-making body is referred to as the “Court” and thus in German as “Gericht”. However, there are considerable doubts as to whether the DPRC actually meets the requirements of an independent and impartial court within the meaning of Article 47 CFR. According to the wording of sec. 3 (d) (i) of the Executive Order, members of the DPRC may not hold any office within the U.S. Government during their term of office – other than serving as a judge of the DPRC. This indicates a subordination of the DPRC to the executive branch instead of the judiciary. In addition, the DPRC itself appoints the litigation representative of the affected party.

Nor does the Executive Order contain any statement that affected persons must be informed of surveillance measures that have been carried out. This seriously calls into question the “effectiveness” of the remedy provided.

Next steps

The European Commission has signaled that it expects an adequacy decision on the EU-U.S. DPF, to be finalized under the Executive Order, to withstand judicial review by the ECJ. Accordingly, it has initiated the procedure for the adoption of an adequacy decision pursuant to Article 45 GDPR. Before a decision is taken, the European Data Protection Committee (EDSA) and the European member states must be consulted. It would be up to the member states alone to reject the decision, which seems unlikely. A decision on the resolution is expected in March 2023.

What does this mean for companies?

The Executive Order has no immediate effect on European companies. For the transfer of personal data, the transfer mechanisms available to date must still be used. Foremost among these are the new standard contractual clauses published by the EU Commission on June 04, 2021. Existing standard contractual clauses still based on the old models must be converted to the new models, which also require a transfer impact assessment in the case of the U.S., by December 27, 2022 (we reported here). If the Commission were to adopt a new adequacy decision based on the Executive Order, personal data could be transferred to the U.S. based on that decision without any further requirements. However, companies should not rely on this. There are reasonable doubts about the adequacy of the newly adopted U.S. government measures in light of the requirements of the CFR and the ECJ. These do not rule out the possibility that the EU-U.S. DPF will also be declared invalid shortly after it enters into force. Privacy activist Max Schrems has already indicated he will oppose a new adequacy decision if it is adopted based on this Executive Order. It therefore remains advisable to agree standard contractual clauses.