In this article we will discuss why shortfalls in U.S. President Joe Biden’s recent Executive Order do not meet the requirements of the EU’s Charter of Fundamental Rights.
It has been more than six months since the United States and the European Union reached an “agreement in principle” regarding data privacy issues brought to light with Schrems II. U.S. President Joe Biden recently signed an Executive Order to respectfully address the European Court of Justice’s (CJEU) previous judgments concerning data privacy with EU-U.S. data transfers.
Two areas that the CJEU required include:
- U.S. surveillance to be proportionate to that stated in Article 52 of the Charter of Fundamental Rights (CFR).
- Access to judicial redress, which is required by CFR’s Article 47.
The problem with Biden’s recent Executive Order is that it does not adequately meet the above two requirements. In what follows, we will explain why Biden’s Executive Order on U.S. surveillance could possibly lead to Schrems III.
An Executive Order is Not a Law
It is important to understand that an Executive Order is not actually a real law in the eyes of the Court. Instead, it is an internal directive made by the U.S. President within the federal government. While it is good that Biden made an effort to address the issues of Schrems II, his Executive Order is unlikely to solve the problems of data privacy for data in the cloud.
Bulk Surveillance Continues
Under Biden’s Executive Order, bulk surveillance will continue through two types of proportionalities by using the EU law wording under Article 52 CFR “necessary” and “proportionate” instead of the previously used “as tailored as feasible.” It is feasible that bulk surveillance will continue without a guarantee of meeting the CJEU’s idea of “proportionate,” EU data sent to U.S. providers still could likely wind up in FISA, PRISM or Upstream.
The question is whether the United States would use the same understanding and apply the CJEU’s proportionality test. Why? Because the United States and the EU have not agreed that “necessary” and “proportionate” have the same legal meaning to each of them. For the United States to comply with the EU’s idea of “proportionate” surveillance, it would need to limit its mass surveillance systems.
Biden’s Executive Order Falls Short in Data Protections
Biden’s Executive Order is meant to add redress to surveillance of EU data. A two-step procedure will be instituted:
- Step 1 – An officer under the National Intelligence Director
- Step 2 – Data Protection Review Court
The problem with this is that the Data Protection Review Court is not considered a “court” under the legal meaning given under Article 47 of CFR or the U.S. Constitution. Instead, the Data Protection Review Court is a body inside the executive branch of the U.S. government. This system within Biden’s Executive Order is basically an upgraded version of the “Ombudsperson” system that was previously rejected by the CJEU. Therefore, the Data Protection Review Court is not equal to the “judicial redress” required by the EU Charter.
There is also the issue that if there is a question over if the United States has violated data privacy, how it would be handled according to the Executive Order. An affected user would have to first raise the issue with an EU national body who would then raise the issue with the U.S. government who will neither confirm nor deny that surveillance had occurred. It will only respond that there was either no violation or that the problem was remedied. There is also no option to appeal anything because there is nothing to appeal.
Now the Ball is in the European Commission’s Court
Unfortunately, in the eyes of the United States and FISA, Europeans do not have privacy rights as U.S. citizens or permanent residents have under the U.S. Constitution’s Fourth Amendment. Businesses in the United States do not need to comply with the “Privacy Shield Principles” in the GDPR either.
Since President Biden has issued the Executive Order, it is now on the European Commission to respond with a draft of an “adequacy decision” under GDPR’s Article 45. The Commission then must allow the European Data Protection Board (EDPB) to review the draft and report its findings. The EU Member States must also weigh in on the draft and could possibly block the deal. The Commission is not bound by the EDPB or the Member States' negative statements.
Originally, the adequacy decision was expected to be published in Fall 2022, but now it is expected by Spring 2023. When it is published, EU companies can use it as a guide when sending their data to the United States. The decision could also be challenged by users via European and national courts.
Protect Data Sovereignty with Bring Your Own Key
There is a good possibility that U.S. President Biden’s Executive Order will fail to withstand the upcoming EU court decisions regarding the adequacy decision in 2023. Meanwhile, data protection laws in the United States do not meet the EU’s legal requirements under the Charter of Fundamental Rights. Until these differences are resolved, a better way to secure data sent into the public cloud is through regional confinement of data flow by using bring your own key methods. Find out more on how BYOK for AWS can help address concerns about Data Residency, Regionality, Digital Sovereignty and GDPR Compliance.
- NEW US EXECUTIVE ORDER UNLIKELY TO SATISFY EU LAW (October, 2022), by NOYB – European Center for Digital Rights