New US Executive Order unlikely to satisfy EU law

• Read original article here

First reaction: Executive Order on US Surveillance unlikely to satisfy EU law More than six months after an "agreement in principle" between the EU and the US, US President Joe Biden has signed the long-awaited Executive Order that is meant to respect the European Court of Justice's (CJEU) past judgments. This is meant to overcome limitations in EU-US data transfers. The CJEU required (1) that US surveillance is proportionatewithin the meaning of Article 52 of the Charter of Fundamental Rights (CFR) and (2) that there is access to judicial redress, as required under Article 47 CFR. Biden's new Executive Order seems to fail on both requirements. There is continuous "bulk surveillance" and a "court" that is not an actual court.

Bulk surveillance continues via two types of "proportionality". The US highlights, that the new executive order uses the wording of EU law ("necessary" and "proportionate" as in Article 52 CFR) instead of the previous term "as tailored as feasible"used in  Section 1(d) of PPD-28. This could solve the problem, if the US would follow the same understanding and also apply the proportionality test of the CJEU. However, the US also clarified that despite changing these words, there will be no changes on US mass surveillance. So-called "bulk surveillance" will continue under the new Executive Order and any data sent to US providers will still end up in programs like PRISM or Upstream, despite of the CJEU declaring US surveillance laws and practices as not "proportionate" (under the European understanding of the word) twice. How is this possible? It seems, the EU and the US agreed to copy the words "necessary" and "proportionate" into the Executive Order, but did not agree that it will have the same legal meaning. If it would have the same meaning, the US would have to fundamentally limit its mass surveillance systems to comply with the EU understanding of "proportionate" surveillance. Max Schrems, chair of noyb.eu: "The EU and the US now agree on use of the word 'proportionate' but seem to disagree on the meaning of it. In the end, the CJEU's definition will prevail - likely killing any EU decision again. The European Commission is again turning a blind eye on US law, to allow continues spying on Europeans."

"Court" is not a real Court. The Executive Order is meant to also add redress. There will now be a two step procedure, with the firs step being an officer under the Director of National Intelligence and a second step being a "Data Protection Review Court". However, this will not be a "Court" in the normal legal meaning of Article 47 of the Charter or the US Constitution, but a body within the US government's executive branch. The new system is an upgrades version of the previous "Ombudsperson" system, which was already rejected by the CJEU. It seems clear that this executive body would not, amount to "judicial redress" as required under the EU Charter. The details of the procedures before these two bodies will need further review, but it seems that users can also not directly raise issues or interact with this court, but will instead be represented by a "special advocate". Max Schrems, chair of noyb.eu: "We have to study the proposal in detail, but at first glance, it is clear that this 'court' is simply not a court. The Charter has a clear requirement for 'judicial redress' - just renaming some complaints body a 'court' does not make it an actual court. The details of the procedure will also be relevant to see if this can satisfy EU law."

Further Research and possible challenge. noyband its partners will analyse the documents in more detail the coming days and will issue a detailed legal analysis within the next days and weeks. If the Commission decision is not in line with EU law and the relevant CJEU judgments noybwill likely bring another challenge before the CJEU. In the meantime, US congress will have to re-authorize FISA 702 in 2023, potentially allowing the US legislator to implement meaningful limitations that respect privacy rights of non-US persons. Max Schrems: "We will analyze this package in detail, which will take a couple of days. At first sight it seems that the core issues were not solved and it will be back to the CJEU sooner or later." Countries with similar privacy protections can't produce a stable deal? It does not seem logical that two democratic countries that both agree on basic legal principles of privacy likely produce the third flawed deal in a row: The Fourth Amendment to the US constitution enshrines a right to privacy and requires that there is probable cause and judicial approval for any wiretap. Equally, the CJEU requires that surveillance must be targeted and there must be judicial approval or review under the EU's Charter of Fundamental Rights. The only difference seems to be that while the EU sees privacy as a human right that applies to any human, the Fourth Amendment only applies to US citizens or permanent residents. In the view of the US, Europeans have no privacy rights. FISA 702 uses that difference in US law and allows surveillance that is illegal under the Fourth Amendment - as long as no Americans are targeted. Max Schrems: "It is amazing that the EU and the US actually agree that wiretapping needs probable cause and judicial approval. However, the US takes the view that foreigners don't have privacy rights. I doubt that the US has a future as the cloud provider of the world, if non-US persons have no rights under their laws. It is contradictory to me that the European Commission is working on a deal that accepts that Europeans are 'second class' citizens and don't deserve the same privacy rights as US citizens." US businesses do not need to comply with GDPR. What is striking, is that the European Commission did not request that the so-called "Privacy Shield Principles" are aligned with the GDPR, which is in force since 2018. The principles are largely the same as the previous "Safe Harbor" principles, which were drafted in 2000 and will continue to be used in the new framework. This means that US businesses can continue to process European data without complying with the GDPR. For example, they don't even need a legal basis for processing, such as consent. Under the Privacy Shield US companies only have to offer an opt-out option for users. This is despite the CJEU highlighting that there need to be "essentially equivalent" protections in the US. Next steps. Now where the US has issued its Executive Order, the European Commission will have to draft a so-called "adequacy decision" under Article 45 of the GDPR. Once the draft decision is issued, the Commission must hear the European Data Protection Board (EDPB), but is not bound by its findings. In addition, the European Member States must be head and could block the deal. This process can take a couple of months. However, even negative statements by the EDPB and Member States are not binding on the Commission. Once the decision is published, companies can rely on it when sending data to the US and users can challenge it via the national and European courts. This is not expected before spring of 2023, even when it was originally envisioned in fall of 2022.