Transferring personal data to the United States used to be a lot easier and then the scale of the US government’s surveillance powers was revealed. Cue a court case against Facebook by Max Schrems (who had previously sunk the safe-harbour provisions for data transfers) and the mechanism for transferring personal data to the US, the “Privacy Shield” was broken, leaving a number of data protection practitioners scratching their heads – how do they lawfully transfer personal data to the US now? Following the “Schrems II” decision (CURIA – Documents (europa.eu)), guidance was provided (fairly limited) and a slightly muddled way forward was found.
Given the importance of data transfers between the UK and the US (and the EU and the US) to all parties concerned some political movement is required to ease and clarify the transfer process. Signs of that political will have appeared in the form of an agreement between the EU and the US announcing an in principle agreement on a new data privacy framework. The UK has also been working with the US with a view to prioritising an adequacy decision for transfers of personal data to and from the US ( The timing of this will be interesting if there is a divergence between the UK and EU positions). This was then followed by an Executive Order from President Biden on 27th October 2022 which sought to put some parameters around the use of US surveillance powers (Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities | The White House).
What went wrong with Privacy Shield?
The complaint about Privacy Shield was that, regardless of the protections offered by the scheme, the US government could still require Facebook to make the personal data transferred to it available to US authorities (NSA, FBI etc.). The court found that the US surveillance powers meant that EU data subjects did not have an equivalent (and therefore sufficient) level of protection when compared to the protections that they enjoy under EU legislation.
Where are we now?
When wanting to transfer personal data abroad to countries that do not have an “adequacy” decision, companies have to go beyond using standard contractual clauses, an international data transfer agreement or binding corporate rules to conduct the transfer. An analysis of the data transfer also needs to be made: what is the nature of the personal data that you are transferring; what are the risks to data subjects; what surveillance powers exist in the country receiving data; where are the servers based; what technical or organisational measures can be put in place to minimise or negate risks to data subjects (e.g. encryption)?
What does the Executive Order say?
In the Order, the US government recognises that there are competing interests in ensuring the safety of its citizens/its national security interests and in taking “into account that all persons should be treated with dignity and respect, regardless of their nationality or where they might reside, and that all persons have legitimate privacy interests in the handling of their personal information.”
The Order specifies legitimate and prohibited objectives for the use of signals intelligence. It is in the prohibited objectives, the parameters put round the legitimate objectives and the establishment of oversight that the most movement has been made.
The legitimate objectives cover a number of the things that you would expect to see, countering terrorism, preventing espionage or other intelligence activities by foreign governments, protecting against cybersecurity threats, protecting against criminal threats et cetera.
It is worth setting out the prohibited objectives in full here. The US government is banned from using signals intelligence collection activities for the purpose of:
- Suppressing or burdening (i.e. making it harder to criticise) criticism, dissent or the free expression of ideas or political opinions by individuals or the press;
- Suppressing or restricting legitimate privacy interests;
- Suppressing or restricting a right to legal counsel; or
- Disadvantaging persons based on their ethnicity, race, gender, gender identity, sexual orientation, or religion (the non-discrimination that UK/EU data protection legislation and other legislation seeks to enforce).
The Order also notes that “It is not a legitimate objective to collect foreign private commercial information or trade secrets to afford a competitive advantage to United States companies and the United States business sectors commercially. The collection of such information is authorized only to protect the national security of the United States or of its allies or partners.”
So…no using signals intelligence collection activities for any and all purposes, no using that intelligence to discriminate and no spying to obtain personal data for commercial purposes.
Checks and balances
The prohibitions in the Order would not amount to much without there being some oversight. Before the president signs off on any signals intelligence collection activities, the director must first obtain an assessment from a Civil Liberties Protection Officer of the Director of National Intelligence (the “CLPO”). The assessment will consider whether the legitimate objectives are being advanced, whether the activity is designed or anticipated to contravene the prohibited objectives and whether appropriate consideration has been given to the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside.
By the 26th October 2023, the heads of the US intelligence communities, in consultation with the CLPO, the Attorney General and the Privacy and Civil Liberties Oversight Board (“PCLOB”) are required to update their policies and procedures to implement the privacy and civil liberties safeguards set out in the Order.
The PCLOB is “encouraged” to review the updated policies and procedures and, within 180 days of the review, the heads of the intelligence communities are required to consider and implement or address the recommendations set out in the review.
Each intelligence community is required to appoint a senior legal, compliance and oversight officer to oversee the community and ensure that it is complying with US law. In the event that these officers report a non-compliance to the head of the agency or department, then that head is required to ensure that remedial action is taken and to ensure that there is no re-occurrence.
The heads of each intelligence community are also required to put in place a process for other qualifying states to complain about any breaches of US law. The CLPO shall review any qualifying complaint that has been received and subject to certain considerations (e.g. national security considerations and applicable data protections) determine whether remediation is required. The response to such complaints will still remain somewhat opaque, as it will not confirm whether there has been any surveillance and will simply state either that no there was not a breach or that a remediation notice has been issued (without providing further details).
However, the response to the complainant would itself be subject to review – either the complainant or the intelligence community can apply to the Data Protection Review Court (the “DPRC”) to review the CLPO’s decision with a special advocate being appointed on the complainant’s behalf.
The DPRC is staffed by judges who must be independent of the government and have significant data privacy and national security law experience. Again the decisions of the court will not provide any real detail to the complainant –they will not confirm whether there has been any surveillance or other intelligence activities to the complainant but will just confirm whether or not the review identified any violations and any remedial measures that have been imposed.
The Order also ties in somewhat with data protection legislation’s requirement to be proportionate. The Order requires consideration of whether there are less intrusive sources and methods to collect information and requires that signals intelligence collection activities are as tailored as feasible to the intelligence priority, taking into account relevant factors not disproportionately impact privacy and civil liberties.
Intelligence agencies are required to have and apply policies designed to restrict access to personal information and to minimise the retention of that information.
The Order goes some way to address some of the concerns raised in Europe: it requires that the right to privacy is considered alongside national security implications; it reflects (in part) data protection requirements (not using surveillance powers to discriminate; minimisation; retention considerations etc.); and it gives a right to complain/review something that had been missing previously. Does it meet all of the concerns? No. Given the legitimate objectives listed, the Order is never going to provide for complete transparency, but then we do not have complete transparency here in matters of national security either. Privacy Shield 2.0 (when it arrives) will go into a lot more detail than the Order and will no doubt include additional safeguards, but in the meantime this appears to be a step in the right direction.