EU-US data transfers: US Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities and the impact on organizational GDPR compliance.

It is no longer news that EU-US data transfers have become increasingly challenging given the invalidation of the EU-US Privacy Shield Framework in 2020. Since then, companies have had to rely on standard contractual clauses and in other cases, data subjects have had to give consent for such transfers to happen knowing the risk of US government access. The economic relationship between the EU and the USA is currently valued at about $7.1 trillion dollars. Based on this value, it is no wonder that there have been efforts to make data flows between the EU and the USA less cumbersome and to preserve the economic relationships between the regions. This document provides a brief summary of the latest effort by the US government to foster trust in the data privacy framework of the USA through the US Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities.

On 7th October, 2022, President Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO) in order to oversee that the obligations of the US under the EU-US Data Privacy Framework are carried out. The EO is divided into 5 sections consisting of general provisions, definitions, purpose, redress mechanisms and activities of Signals Intelligence.

For the purpose of this document, significant provisions of the EO will be highlighted. To clearly understand the provisions, it is important to first understand what signals intelligence means. Signals intelligence describes a form of intelligence gathering by intercepting electronic signals. In the context of the US, signals intelligence involves collecting foreign intelligence from communications and information systems and providing it to customers across the U.S. government, such as senior civilian and military officials. They then use the information to help protect our troops, support our allies, fight terrorism, combat international crime and narcotics, support diplomatic negotiations, and advance many other important national objectives

Legitimate objectives for signal intelligence

Signal intelligence will not be carried out randomly. According to section 2.b.i.A, this type of intelligence is to be carried out only for the following reasons –

  1. To assess the capabilities or activities of a foreign government/military/political organization or any entity acting on its behalf in order to protect the national security of the USA and its allies/partners.
  2. To assess the activities of international terrorist organisations that pose a current or potential threat to the national security of the US or allies and partners.
  3. To assess transnational threats impacting global security such as climate change, public health risks, humanitarian threats, political instability and geographic rivalry
  4. To protect against foreign military capabilities and activities
  5. To protect against terrorism, taking of hostages conducted by or on behalf of a foreign government
  6. To protect against espionage
  7. To protect against threats from the development and proliferation of weapons of mass destruction conducted by or with the assistance of a foreign government, organization or person.
  8. To protect against malicious cybersecurity threats.
  9. To protect against threats to the personnel of the US or its allies or partners
  10. To protect against transnational criminal threats including illicit finance and sanctions evasion related to any of the objectives stated in this list.
  11. To protect the integrity of government property, US physical and electronic infrastructure and political processes such as elections from activities conducted by a foreign government, organization or person.
  12. To advance operational capabilities in order to further any of the reasons stated in this list.

Prohibitions to the conduct of signal intelligence activities. 

The exceptions to signal intelligence objectives are found in section 2.b.i.B of the EO:

  1. Suppression of criticism or the free expression of ideas or political opinions
  2. Suppression or restriction of legitimate privacy interests
  3. Suppression or restriction of the right to legal counsel
  4. Discrimination of persons based on ethnicity, race, gender, gender identity, sexual orientation or religion.

It is further stated in the EO that collection of foreign private commercial information or trade secrets to afford a competitive advantage to US companies or the US business sector is not a legitimate objective and therefore, can only be conducted with authorisation and in order to protect the national security of the US or its allies or partners.

The EO provides thus “Signals intelligence collection activities shall be as tailored as feasible to advance a validated intelligence priority and, taking due account of relevant factors, not disproportionately impact privacy and civil liberties.  Such factors may include, depending on the circumstances, the nature of the pursued objective; the feasible steps taken to limit the scope of the collection to the authorized purpose; the intrusiveness of the collection activity, including its duration; the probable contribution of the collection to the objective pursued; the reasonably foreseeable consequences to individuals, including unintended third parties; the nature and sensitivity of the data to be collected; and the safeguards afforded to the information collected.

With respect to bulk collection of signals intelligence, the EO states that when it is determined that bulk collection is necessary to advance a validated intelligence priority, reasonable methods and technical measures shall be applied to limit the data collected to only what is necessary in order to achieve legitimate objectives.

Handling of personal information collected through signals intelligence

The EO also provides for handling of personal information collected through signals intelligence. Elements of the intelligence community handling personal information shall ensure that policies and procedures are put in place to minimize the dissemination and  retention of personal information. The provisions on retention of personal information provides equal level of protection to ‘non-United States persons’ as with United States persons. For instance, under ‘Retention’ in section 2.c, the Intelligence community “shall delete non-United States persons’ personal information collected through signals intelligence that may no longer be retained in the same manner that comparable information concerning United States persons would be deleted.”

With respect to data security and access, appropriate protection and the prevention of unauthorized access consistent with applicable safeguards for sensitive information in relevant EOs and Directives are to be ensured.

Worthy of note is the savings clause in section 2.e which states that nothing in the EO shall be construed to limit any signals intelligence collection technique under the Foreign Intelligence Surveillance Act of 1978 as amended (FISA). It should be remembered that one of the considerations for the invalidation of the privacy shield framework was section 702 of FISA. This allowed for surveillance of electronic communication service providers which term is commonly broadly interpreted by the American courts.

Redress mechanism for EU-US data transfers

Redress Mechanism

Section 3 of the EO provides for the establishment of a process for the submission of qualifying complaints from qualifying states for any covered violation of US law, appropriate remediation where and if necessary, investigation, the establishment of a Data Protection Review Court (DPRC). The designation of qualifying state is dependent on a number of factors under section 3.f.i of the EO, one of which is that the country, regional economic integration organization or its member countries permit or intend to permit the transfer of personal information for commercial purposes between the territory of the country or member countries and the territory of the US. This means the application of the principle of reciprocity. The designation of qualifying state can also be revoked if the countries or member countries do not permit the transfer of personal information for commercial purposes between the countries and the US.

What does this mean for EU-US data transfers?

You are probably wondering how this impacts your business operations and EU-US data transfers. The EO brings a ray of hope as it promises an ease in data flows between the EU and the US. What is important to keep in mind, however, is that an Executive Order in the USA is just that and has no direct effect on EU territory. It is for this reason that the European Commission has published a Q&A on the EU-US data Privacy Framework

In this publication, it is stated that the European Commission will take steps to propose a draft adequacy decision and launch the procedure for its adoption. The final adequacy decision will only be adopted after scrutiny by the European Parliament and after which there should be a free and easy EU-US data transfers between the EU and US companies that have been certified by the Department of Commerce under the new framework. 

Until these formalities have happened, nothing is required from businesses in the EU. If you hope to commence data transfers to the US, note that an adequacy decision is not the only way to achieve this. One mechanism adopted by the European Commission for international data transfers is the use of modernized standard contractual clauses which businesses can include in their commercial contracts. In the future, the European Commission has stated that all the safeguards that the Commission has agreed with the US Government in the area of national security (including the redress mechanism) will be available for all transfers to the US under the GDPR, regardless of the transfer tool used.

Summary

Undoubtedly, the EO appears to be a laudable effort in creating an environment of trust for EU-US data transfers. For instance, the establishment of a Data Protection Review Court is a progressive step because it provides a redress mechanism for so-called qualifying complaints from qualifying states. According to the White House, the provisions of the EO are intended to provide a basis for the European Commission to adopt a new adequacy decision aimed at restoring an accessible and affordable data transfer mechanism under EU Law. 

Despite being a commendable effort, the EO gives with a hand and takes with the other. The savings clause states that the EO does not limit any signals intelligence collection technique authorized under the Foreign Intelligence Surveillance Act (FISA) amongst other laws. 

Furthermore, the process for lodging a qualifying complaint appears cumbersome, especially for non-US persons. This is because the CLPO  will have to first review the complaints and inform the complainant through the appropriate public authority in the qualifying state on whether  a covered violation was identified or not. This means that complainants cannot lodge complaints directly or bring an action before the DPRC. 

After the CLPO has reviewed a complaint, the DPRC (to be constituted by judges selected by the Attorney General in consultation with the Secretary of commerce amongst others) shall further review the decision of the CLPO where necessary. If the complainant applies for a review by the DPRC, an advocate will be selected by the DPRC to advocate regarding the complainant’s interest in the matter (section 3.c.i.E). This brings to mind a latin maxim, nemo judex in causa sua, which means no one should be a judge in their own case. Would an advocate employed by the DPRC really serve the interest of a complainant or that of its master? Time will tell.

The EO is loudly silent on the rights of the complainant. At best, it creates only an ‘[…] entitlement to submit qualifying complaints to the CLPO and to obtain review of the CLOP’s decisions by the Data Protection Review Court[…]’ according to section 5.h. This section clearly states that the Order ‘… is not intended to, and does not, create any other entitlement, right, or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.’

On 13th December, 2022, the European Commission published a draft adequacy decision for EU-US data transfers, thus, signaling the start of the adoption procedure for the EU-U.S. Data Privacy Framework following the US Executive Order. According to the European Commission through its official website, the Commission submitted its draft decision to the European Data Protection Board (EDPB). Afterwards, the Commission will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can proceed to adopting the final adequacy decision.

Summarily, while the Executive Order is a step in the right direction, it still begs the questions about government surveillance and enforceability of data subject rights in the USA. The coming months will present with interesting events as more processes are put in place to comply with this Executive Order and adopt a final adequacy decision for EU-US data transfers. Until then, it is advisable that businesses in the EU maintain the status quo and continue to limit as much as possible data transfers to the US or rely on lawful mechanisms for such transfers.

Do you need support on data protection, privacy or GDPR? TechGDPR can help.

Request your free consultation

Tags

Show more +