Executive Order - a new attempt for a transatlantic data transfer agreement

After Safe Harbor and Privacy Shield, the EU and the US are now trying for the third time to find a compromise between the high protection standard of European data protection law and American mass surveillance. In March 2022, EU Commission President Ursula von der Leyen and US President Joe Biden announced that there was an agreement in principle for a secure data transfer between the EU and the US. A few months later, on 07 October 2022, Biden has now issued an Executive Order to remedy those points that the CJEU had criticized in "Schrems II". The Privacy Shield Framework in force until then was declared invalid by the CJEU. The new Executive Order of the U.S. President is now intended to create the legal framework and thus enable the new adequacy decision of the EU Commission.

What does the adequacy decision mean?

The data protection rights of non-U.S. citizens in the U.S. are not at the same level as in the EU, therefore the U.S. cannot be included in the list of countries to which an "adequacy decision" applies. Such a decision creates legal certainty for the transfer of data to the respective country. The legal use of cloud offerings would depend on this decision. The aim of Biden's Executive Order is therefore to give the EU Commission, which has the relevant decision-making power, a basis for including the United States.

The special feature of an adequacy decision by the EU Commission is that it legitimizes such a third-country transfer as long as it is not declared invalid by the CJEU or revoked by the EU Commission. This means that the European supervisory authorities would be bound by this assessment.

What is an Executive Order?

The Executive Order clears the way for the EU Commission to consider a new adequacy decision under Article 45 GDPR for a data transfer to the US. An Executive Order is an order issued by the US President addressed to the US Federal Administration. It does not require the approval of either the House of Representatives or the Senate. The U.S. Constitution does not contain an explicit legal basis for Executive Orders. It has no direct effect in the EU and is a directly applicable legal requirement that is binding on those U.S. agencies to which it is addressed. This means that the Executive Order is addressed to all federal agencies that collect electronic signals for intelligence purposes on the one hand and evaluate them on the other.

Why is the Executive Order not sufficient for surveillance in the U.S.?

In the Schrems II case, the CJEU considered two aspects in particular as violations of citizens' rights: first, it criticized the intelligence agencies' unreasonably broad mandate to collect data. Instead, this should be reduced to a minimum. On the other hand, those affected have no legal means to enforce their claims.

However, the Executive Order does not offer a solution to the problem for these two aspects. As the NGO organization noyb around Max Schrems has announced, this is mainly due to the wording used.

The new Executive Order uses the wording of European law ("proportionate" and "necessary" Article 52 GRC) instead of the former term "as tailored as possible" (Section 1(d) of PPD-28). Moreover, the U.S. has indicated that despite the new wording, it will not limit its mass surveillance systems, and in fact will explicitly allow them (see Section 2(c)(ii)) of the Executive Order).

Max Schrems, chairman of the NGO noyb stated

"The EU and the US agree on the term 'proportionate' but apparently not on its meaning. In the end, the CJEU's definition will prevail - likely undoing the agreement. It's disappointing that the European Commission wants to continue spying on Europeans based on this word."

The word "court" also does not correspond to the term in its true sense. Rather, it is a kind of control body whose members can be appointed or dismissed. onsequently, there is a lack of independence, and unlawful or disproportionate transfers are still possible.

In the event of a complaint, it is received by an employee of the Director of Intelligence. Subsequently, the "Data Protection Review Court" will examine the processing of the complaint. However, this is not a court, but a body of the executive branch. This is not a new approach, because it strongly resembles the principle of the "ombudsman", which was declared insufficient by the CJEU. Therefore, the question arises how this complaints body should correspond to that of a court.

Max Schrems continued

"We need to examine the proposal in detail, but at first glance, this 'court' simply does not seem to be a court of law. The Charter clearly requires a 'judicial remedy' - simply renaming a complaints body a 'court' does not make it a court. It's fascinating how the European Commission demands - rightly - demands immaculate court systems from Poland or Hungary, but when it comes to the U.S., suddenly we don't need a court at all."

Where do we go from here?

The EU Commission must now work out the "adequacy decision." To do so, it must also consult the European Data Protection Board (EDPB) and European member states. This process will take some time. A decision is therefore not expected before spring 2023. Until then, data controllers must continue to secure data transfers with other transfer mechanisms, especially standard contractual clauses.

Want to play it safe and protect your data right away? Contact us, during a free initial appointment we will analyze your needs together.