Is it time to call the bluff on US data privacy?

The jury is out on whether the Executive Order signed by President Biden on 7 October can resolve the legal concerns highlighted in the Schrems II case and restore “ trust and stability” to transatlantic data flows, writes Dick Roche, former Irish minister for European affairs who played a central role in the Irish Referendum that ratified the Lisbon Treaty which recognised the protection of personal data as a fundamental right.

The EU's data protection laws are widely recognised as the gold standard for data regulation and for the protection of the privacy rights of individual citizens.

When the internet was in its infancy the EU broke new ground in 1995 setting out rules governing the movement and processing of personal data in the European Data Protection Directive.

Under the 2007 Lisbon Treaty protection of personal data became a fundamental right. The Treaty on the Functioning of the European Union and the EU Charter of Fundamental Rights which came into effect in 2009 protect that right.

In 2012, the EU Commission proposed the General Data Protection Regulation (GDPR) setting out a comprehensive set of reforms aimed at boosting Europe’s digital economy and strengthening the online security of citizens.

In March 2014 the European Parliament recorded overwhelming support, for GDPR when 621 MEPs from across the political spectrum voted in favour of the proposals. Only 10 MEPs voted against and 22 abstained. 

GDPR has become the global model for data protection law.  

Lawmakers in the US have not followed the same path as Europe. In the US data protection rights in the law enforcement sector are constrained: the tendency is to privilege law enforcement and national security interests.

Two attempts to bridge the gap between the EU and US approaches and to create a mechanism for data flows failed when the rather fancifully named Safe Harbour and Privacy Shield arrangements were found wanting by the Court of Justice of the EU.  

The question arises whether new EU-US Data Privacy Framework arrangements set out in the  Executive Order “Enhancing Safeguards for United States Signals Intelligence Activities” signed by President Biden on 7^th October will succeed where Safe Harbour and Privacy Shield failed. There are plenty of reasons to doubt that they will.

Schrems II set a high bar

In July 2020 in the Schrems II case, the CJEUruled that US law did not satisfy the requirements regarding access to, and use of personal data set down in EU law.

The Court flagged a continuing concern that theuse of and access to EU data by US agencies was not restricted by the principle of proportionality. It took the view that it was “impossible to conclude” that the EU-US Privacy Shield agreement  was sufficient to ensure a level of protection for EU citizens equivalent to that guaranteed by the GDPR and ruled that the Ombudsman mechanism created under Privacy Shield, was inadequate and that its independence could not be guaranteed.  

President Biden’s proposals and the EU Commission’s endorsement

On 7^th October President Biden signed an Executive Order (EO) “Enhancing Safeguards for United States Signals Intelligence Activities”.

In addition to updating an Obama era Executive Order on the manner in which data protection operates within the US the order sets out a new EU-U.S. Data Privacy Framework.

White House briefing on the EO characterises Framework as restoring “ trust and stability” to transatlantic data flows which it describes as “critical to enabling the $7.1 trillion EU-US economic relationship” - a rather over the top claim.

The briefing describes the new arrangements as  bolstering the “already rigorous array of privacy and civil liberties safeguards for US signals intelligence activities”.

It contends that the new arrangements will ensure that US intelligence activities will be conducted only in pursuit of defined US national security objectives and be limited to what is “necessary and proportionate”- a genuflection to the Schrems II judgement.  

The briefing also sets out “ a multi-layer mechanism” which will allow those aggrieved by US intelligence activities “to obtain (an) independent and binding review and redress of claims”.

The EU Commission has endorsed President Biden’s Order enthusiastically portraying it as providing Europeans whose personal data is transferred to the US with “binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security”. Without supporting analysis it characterises the Order’s redress provisions and Court as an “independent and impartial” mechanisms “to investigate and resolve complaints regarding access to (Europeans’) data by US national security authorities”.

Some serious questions

There is much to question in the presentations by the White House and the Commission.

Many would question the idea that US intelligence agencies are subject to a “rigorous array of privacy and civil liberties”. 

A major issue arises regarding the legal instrument being used by the US to introduce the changes. Executive Orders are flexible executive instruments that can be changed at any time by a sitting US President. A change in the White House could see the arrangements that have been agreed consigned to the waste bin, as happened when President Trump walked away from the painstakingly negotiated agreement to restrict Iran’s nuclear programme in exchange for sanctions relief.

Questions also arise as to how the words “necessary” and “proportionate” which appear in the White House and the Commission statements are to be defined.  The interpretation of these key words can differ considerably on either side of the Atlantic. 

The European Centre for Digital Rights the organisation founded by Max Schrems makes the point while the US administration and the EU Commission have copied the words  "necessary" and "proportionate" from the Schrems II judgement they are not ad idem as to their legal meaning. For both sides to be on the same page the US would have to fundamentally limit its mass surveillance systems to align with the EU understanding of "proportionate" surveillance and that is not going to happen: bulk surveillance by US intelligence agencies will continue under the new arrangements.

Particularly serious concerns arise over the redress mechanism.  The mechanism created by President Biden’s EO is complex, constrained and far from independent.

The redress arrangements  require that complaints first be lodged with Civil Liberties Protection Officers appointed by US  intelligence agencies to ensure agency compliance with privacy and fundamental rights – a poacher turned gamekeeper arrangement.  

Decisions of these officers can be appealed to a newly created Data Protection Review Court (DPRC). This ‘Court’ will be “composed of members chosen from outside the US Government”.

The use of the word “court” to describe this body is questionable. The European Centre for Digital Rights rejects the idea that the body is within the normal meaning of Article 47 of the EU Charter of Fundamental Rights.

Its “judges’, who must have “requisite (US) security clearance” will be appointed by the US Attorney General in consultation with the US Secretary of Commerce.

Far from being “outside the US Government” once appointed the Court’s members become part of the US machinery of Government.

Where an appeal is made to the Court by either a complainant or by “an element of the Intelligence Community” a three-judge panel will meet to review the application. This panel selects a special advocate again with US “requisite security clearance” to represent “the complainant's interests in the matter”.

On the matter of access,  complainants from the EU must take their case to a relevant agency in the EU. That agency transfers the complaint to the US. After the case is reviewed the complainant is informed “through the appropriate body in the qualifying state” as to the outcome “without confirming or denying that the complainant was subject to United States signals activities”. Complainants will only be told that “the review either did not identify any covered violations” or that “a determination requiring appropriate remediation” had been issued. It is hard to see how these arrangements satisfy the independence test which the Ombudsman proposals in Privacy Shield failed. 

Overall  the Data Protection Review Court arrangements have more than a whiff of the much reviled US FISA Court, which is widely seen as little more than a rubber stamp for the US intelligence services.

What Next?

With the US Executive Order adopted the action moves back to the EU Commission which will propose a draft adequacy decision and launch adoption procedures.

The adoption procedure requires the Commission to obtain an opinion, which is non-binding,  from the European Data Protection. The Commission must also receive approval from a committee composed of representatives of the EU Member States.

The European Parliament and the Council have the right to request the European Commission to amend or withdraw the adequacy decision on the grounds that its content exceeds the implementing powers provided for in the 2016 GDPR regulation.

As the body directly representing the people of Europe and the body which so overwhelmingly endorsed the principles set out in GDPR the European Parliament has a responsibility to take a long hard look at what is on the table and to take a clear-eyed view on the extent to which the proposals are compatible with the principles established in GDPR with the expectations of Europeans that their privacy rights are respected.

The fundamental differences between the EU and the US on the protection of the privacy rights of individual citizens are very unlikely to be brought to a halt by President Biden’s Executive Order: the controversy still has some way to run.

Share this article: