With the new executive order for the Trans-Atlantic Data Privacy Framework (TADPF) expected soon, now is a good time to revisit the goal that it is intended to achieve: satisfying the legal requirements set out by the Schrems II decision. These are typically thought of as falling into two categories: redress and “necessity and proportionality.”
The TADPF will create a mechanism featuring a new “Data Protection Review Court” that is intended to hit the CJEU’s redress target. According to the CJEU, an effective redress mechanism must be both independent and binding. In Schrems II, the Court ruled that the Privacy Shield Ombudsperson did not meet these requirements. The mechanism did not “afford EU citizens a level of protection essentially equivalent to that guaranteed by the fundamental right enshrined in [Charter of Fundamental Rights].” Specifically, the ombudsperson did not meet the definition of an “ independent and impartial tribunal” under Article 47 of the Charter nor did it have “the power to adopt decisions that are binding” on U.S. intelligence agencies. In Redress: What is the problem?, the Privacy Across Borders (PAB) team explores in depth the challenge of meeting these requirements within the U.S. legal framework.
The new executive order will also need to articulate legal measures designed to hit the CJEU’s target for necessity and proportionality. When reviewing the European Commission’s adequacy finding relating to U.S. surveillance under FISA Section 702, Executive Order 12333, and Presidential Policy Directive-28, the CJEU rooted its analysis in Article 52(1) of the Charter, which provides: “Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others”
The CJEU explained that:
“In order to satisfy the requirement of proportionality according to which derogations from and limitations on the protection of personal data must apply only in so far as is strictly necessary, the legislation . . . must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose data has been transferred have sufficient guarantees to protect effectively their personal data against the risk of abuse. It must, in particular, indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary.”
The CJEU then stated that FISA Section 702 “does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes.” Additionally, it found that PPD-28 allows for bulk collection of “a relatively large volume of signals intelligence information or data under circumstances where the Intelligence Community cannot use an identifier associated with a specific target … to focus the collection.” It added that the possibility that “access to data in transit to the United States without that access being subject to any judicial review, does not, in any event, delimit in a sufficiently clear and precise manner the scope of such bulk collection of personal data.”
The CJEU’s ruling uses terminology that does not neatly translate to the U.S. legal framework. In later articles the PAB team will dive more deeply into what “necessity and proportionality” mean under EU law. For now, it would seem that to hit the necessity and proportionality target, the new executive order will need to demonstrate that, with the addition of the order’s new legal requirements, the U.S. legal framework now:
- establishes “clear and precise rules governing the scope and application of surveillance”;
- includes “minimum safeguards” to protect against “the risk of abuse”;
- indicates “in what circumstances and under which conditions” surveillance measures may be “adopted” to ensure that any privacy interference “is limited to what is strictly necessary”;
- shows “the existence of guarantees for non-US persons” targeted by surveillance; and
- delimits “in a clear and precise manner” the scope of any permitted bulk collection of personal data.
Once the new order is issued, the PAB team will be providing analysis to help determine how well it has hit the targets laid out by the CJEU.