DP News – Week 41. New executive order introduces legal safeguards for the U.S. governmental agencies’ access to personal data. Max Schrems voice doubts.

Further to the agreement in principle on a new Trans-Atlantic Data Privacy Framework reached by the U.S. and the EU Commission in March 2022, on 7 October 2022, the U.S. President Joe Biden signed the Executive Order “On Enhancing Safeguards For United States Signals Intelligence Activities”.

As per the Fact Sheet published by White House, the executive order (E.O.) “creates an independent and binding mechanism enabling individuals in qualifying states and regional economic integration organizations, as designated under the E.O., to seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law”.

In particular, the E.O. requires the U.S. signals intelligence activities to be “conducted only in pursuit of defined national security objectives” and “only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority”. It also introduces “handling requirements for personal information collected through signals intelligence activities”, two-layer “independent and binding review and redress” mechanisms for individuals, and requires “U.S. Intelligence Community elements to update their policies and procedures” to align them with new E.O.

Unlike previously existing Privacy Shield Ombudsperson, the two-layer review and redress mechanism implies an ability to lodge a complaint with the ‘Civil Liberties Protection Officer’ of the US intelligence community (first layer), whose decision may be appealed to the new Data Protection Review Court (second layer).

Following the adoption of the E.O., the EU Commission has already declared “proposing a draft adequacy decision and launching its adoption procedure” to be the next step in the process. The EU Commission also stresses in its “Questions & Answers: EU-U.S. Data Privacy Framework” that the new E.O. duly addresses the issues raised by the Court of Justice (CJEU) in the so-called Schrems-II ruling. Thus, the EU Commission concludes, there are grounds to believe that the new transatlantic legal framework would be Schrems-III proof.

However, not everyone seems to share the EU Commission’s optimism. As Max Schrems says: “We will analyze this package in detail, which will take a couple of days. At first sight it seems that the core issues were not solved and it will be back to the CJEU sooner or later.” In particular, as Noyb.eu (chaired by Max Schrems) explains, the so-called Data Protection Review Court is not really a court “but a body within the US government’s executive branch. The new system is an upgrades version of the previous “Ombudsperson” system, which was already rejected by the CJEU. It seems clear that this executive body would not amount to “judicial redress” as required under the EU Charter”.