This was an eventful summer for cross-border data flows. Three years ago, the Schrems II decision struck down Privacy Shield putting transatlantic data flows at risk. After many months of quiet negotiation, there was a succession of key events following the issuance of Executive Order 14086 last October.
On July 3rd, the Office of the Director of National Intelligence released the Intelligence Community (IC) Procedures required by Executive Order 14086 (EO 14086). The IC procedures “implement the EO’s requirements, and thereby the United States’ commitments under the EU-U.S. Data Privacy Framework (DPF).” On the same day, the Department of Justice (DOJ) released a memorandum in support of designating the European Union, Iceland, Liechtenstein, and Norway as qualifying states under EO 14086. The memorandum determined that the laws of the EU/EEA had “appropriate safeguards” for signals intelligence activities involving U.S. persons. According to the DOJ, “[EO 14086’s] ‘appropriate safeguards’ standard does not impose a rigid ‘one-size-fits-all’ model but rather asks, in light of the importance of maintaining trust and confidence in the free flow of data in today’s networked global economy, whether the laws of a potential qualifying state, when viewed holistically, require appropriate privacy safeguards with respect to its national security activities.”
Finally, the European Commission (EC) released its much-anticipated adequacy decision on July 10th. The EC stated that “an essential element of the US legal framework on which the adequacy decision is based concerns Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’” which provides for “binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security, enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities, and the establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by US national security authorities.”
To understand how we got here, please read Beyond Schrems II: What Happens After EU and US Officials Conclude Negotiations for Privacy Shield 2.0 and What’s Next for the New Executive Order and the DPRC? On September 7th, a French lawmaker, Philippe Latombe, announced he is challenging the EU-US DPF in the European Union’s General Court. Although it is unclear how the Court will rule, to understand the legal challenges to previous frameworks, please read Challenging the New Privacy Shield Framework: All Paths Lead to the CJEU Under GDPR Articles 77 and 79, a data subject can launch a complaint with the appropriate data protection authority (DPA) or Member State court. DPAs and national courts cannot invalidate adequacy decisions but can be vehicles for the body that can, the CJEU. The Schrems I and II cases began at the DPA level, went through the national court system, and then to the CJEU. Regardless of what path a challenger may take, the complaint will likely end up at the CJEU.
Over the past few months, our team analyzed the requirements set forth by EO 14086 and critiques of the order. Senior Project Director, Alex Joel, responded to several of these critiques in Necessity, Proportionality, and Executive Order 14086. In this paper, Alex explores how EO 14086 meets the necessity and proportionality requirement from the Schrems II decision and addresses some concerns listed in the European Data Protection Board advisory opinion.
Notably, the paper reviews the EO 14086’s articulation of “legitimate objectives” for signals intelligence and compares it with the more general definitions of “national security” that are the norm in Europe. It also notes that the information that the U.S. government has released on FISA Section 702 shows that Section 702 surveillance is not “massive and indiscriminate,” and that the Foreign Intelligence Surveillance Court closely oversees targeting decisions. Finally, on bulk collection, the paper explains that such collection is permissible under European jurisprudence if conducted in accordance with specific safeguards, and that bulk collection is prohibited by U.S. law for data after it has been transferred to the U.S. With respect to concerns about interception of data in the course of transmission to the U.S., the paper examines EO 14086’s bulk collection safeguards.
Additionally, Alex wrote about EO 14086’s notification requirement in Without Confirming or Denying. In this blog post, Alex walks through the notification process and how the record of a “qualifying complaint” could be declassified. He discusses this issue at length in this paper. For more information on how countries around the world inform individuals whether they have been surveilled, please read this paper written by Privacy Across Borders Research Assistant, Lauren Mantel. Lauren does a country-by-country survey of notification and concludes that many countries “limit the ability to inform individuals in order to preserve [the] confidentiality of national security and law enforcement activities.”
Our team will closely monitor upcoming developments and publish expert analyses and updates. Stay tuned for more!
