This article was originally published by the International Association of Privacy Professionals (IAPP) and is reprinted here with the permission of same.
On 10 July, the two final pieces fell into place to create a new lawful basis for transferring personal data from the EU to the U.S., implementing the EU-U.S. Data Privacy Framework announced last October. U.S. Attorney General Merrick Garland designated the EU and the European Economic Area as “qualifying states” under President Joe Biden’s Executive Order 14086.
That same day, the EU issued its final decision that the U.S. provides “adequate” protection of privacy, making it clearly lawful for companies and other organizations to use transfer mechanisms, such as standard contractual clauses, to send personal data from the EU to the U.S. The EU and U.S. actions were linked because the final adequacy decision could only be issued once the EU and its member states had received the designation as “qualifying states.”
The National Security Division of the U.S. Department of Justice published a detailed, 34-page memorandum explaining the legal rationale for the attorney general designation, which found that the intelligence services in the EU provided sufficient privacy protections to Americans.
Background on ‘qualifying states’ under Executive Order 14086
The focus here is on explaining what the U.S. and the EU have said, rather than trying to assess each legal statement in these documents. Under Executive Order 14086, a country can be designated as “qualifying” if it meets three requirements. First, the country must provide “appropriate safeguards in the conduct of signals intelligence activities for United States persons’ personal information that is transferred from the United States” to the qualifying country or region, such as the EU. Second, the qualifying country or region must permit the transfer of personal information for commercial purposes. Third, the designation must “advance the national interests of the United States.”
The earlier EU-U.S. Safe Harbor and Privacy Shield agreements did not include a U.S. finding about European privacy protections, although the 2018 CLOUD Act similarly requires a U.S. attorney general finding before European or other countries can have access to certain types of data.
A privacy-based explanation for reciprocity this time is that other countries, such as in Europe, wish the U.S. government to help protect the privacy of their citizens, so the privacy of Americans should be similarly protected by those other countries. The reciprocity provision can also be seen as a matter of practical politics — the other country won’t qualify unless it opens its border to data flows with the U.S., and if there are future difficulties, then the new U.S. privacy protections can be withdrawn.
What the memorandum says
In assessing whether there are “appropriate safeguards,” the memorandum boils down to three, key legal points, including a comparison of EU and U.S. practices. The first is that the EU safeguards should be addressed “holistically,” recognizing that nations vary in the specifics of how they govern their intelligence activities. The memorandum states, “different countries, even those sharing democratic values and a commitment to the rule of law, will have legal and national security systems with differing histories and institutions, such that they may legitimately take differing approaches towards enacting privacy safeguards for signals intelligence activities.”
The U.S. takes what the memorandum calls “a deferential approach” to another “rights-respecting democratic society that follows the rule of law.” The memorandum then alludes to the European Court of Human Rights, which has the power to issue judgments binding on parties to the European Convention on Human Rights, including all EU and EEA countries, that include matters of national security. Citing a 2021 Swedish case and a seminal German case from 1978, the memorandum says, “This deferential approach aligns with the ECtHR’s approach of reviewing each country’s intelligence laws and safeguards holistically and not substituting its own policy views for those of national authorities.”
The second key legal point the memorandum highlights is the similarities among three legal sources. One source is the ECtHR, which has identified “minimum safeguards” for signals intelligence activity, including bulk collection of communications. Next is the Data Privacy Framework itself, which addressed the two holdings of the Court of Justice in the European Union in the “Schrems II” case: The DPF has a new structure to provide redress in response to a complaint from an individual in a qualifying state, and signals activities of U.S. intelligence agencies will comply with new requirements to be “necessary and proportionate.” The third source is the 2022 Organisation for Economic Co-operation and Development Declaration on Government Access to Personal Data Held by Private Sector Entities, which was signed by the US, EU and most of the EU/EEA members.
The memorandum says these three legal sources, all involving the EU and EEA nations, are “on the whole similar” to each other. The implicit U.S. point appears to be that the three legal sources, taken together, provide an emerging consensus about what sorts of safeguards are expected in rule-of-law democracies.
Comparing EU and US safeguards
The memorandum, as a third point, provides a detailed discussion of the safeguards concerning signals intelligence in individual EU member states. It reports multiple ways that member states vary in the structure of their safeguards. It also describes a number of member state practices that appear to not match safeguards the U.S. provides in the DPF. For instance:
- Under the DPF, the decisions of the Data Protection Review Court are binding on all the U.S. intelligence agencies. By contrast, “it appears that EU/EEA countries’ laws vary in terms of whether intelligence oversight bodies have binding authority to order intelligence agencies to take remedial action.”
- Under the DPF, European persons have access to redress from U.S. agencies. By contrast, “some EU/EEA countries’ non-judicial redress mechanisms have binding authority but appear not to be fully available to U.S. persons seeking redress with respect to their communications sent to or from the United States.”
- Under the DPF, an advocate is appointed on behalf of the complainant, with access to the relevant classified information. By contrast, “it appears that EU/EEA countries’ non-judicial redress mechanisms generally lack a requirement to ensure the appointment of an advocate in each case who is authorized to access the full case record, including sensitive national security information, and is responsible for advocating for the interests of the complainant before the entity reviewing the complaint.”
After performing these comparisons, the memorandum concludes “the EU/EEA’s safeguards, when viewed on the whole, demonstrate a sufficient commitment to privacy with respect to their national security activities.” The memorandum also offers a disclaimer: “In light of our limited access to information about the intelligence laws of EU/EEA countries in this area, and the complexity of such laws, further exchanges of information between the Commission and EU/EEA countries and the United States would be welcome.”
Accompanying letter from the EU Commissioner for Justice
A separate account of European legal protections was published the same day as the memorandum, in an accompanying letter from EU Commissioner for Justice Didier Reynders. There are notable similarities between this letter and the U.S. memorandum. Both documents are part of the same overall process of putting the DPF into effect. Both extensively cite many of the same ECtHR cases, with fewer citations to the CJEU. Both favorably note the 2022 x, with the letter stating “the Declaration reflects the type of privacy safeguards that the EU, its Member States, and the United States share in this area.”
The structure of the Reynders letter, however, differs from the memorandum. It closely tracks the structure of the European Essential Guarantees, issued by the European Data Protection Board in 2020. The EEGs were designed to assess “whether surveillance measures allowing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference or not.” In assessing a third country, such as the U.S., the EEGs provide four principles:
1. Processing should be based on clear, precise and accessible rules.
2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
3. An independent oversight mechanism should exist.
4. Effective remedies need to be available to the individual.
In examining this list, some of us might recall an undergraduate philosophy course, considering the European approach to be Cartesian, with a top-down set of principles, compared to an American pragmatist approach, which is more bottom-up, empirically focusing on specific facts.
Regardless of whether one uses labels such as Cartesian or pragmatist, the U.S. memorandum is much more focused on very specific aspects of EU and member state law, such as the examples above about binding decisions and the role of an advocate. Perhaps due in part to these differing approaches, it is far from simple to map each part of the U.S. memorandum to each part of the Reynders letter.
An essential element of putting the DPF into operation was the designation by the U.S. attorney general of the EU and its member states, as well as the EEA, as “qualifying states” under Executive Order 14086. The memorandum provides extensive research about the law applying in the EU and EEA for signals intelligence, as applied to possible surveillance of U.S. persons.
Indeed, so far as I am aware, it is the first attempt by a national government to apply a granular analysis to European surveillance law, drawing on the three sources.
As noted here, the memorandum takes a “holistic” view of the privacy protections provided in other rule-of-law democracies, emphasizing the differing history and institutions among nations. The memorandum highlights the similarities between the safeguards provided by three legal sources, all approved by the EU: decisions of the ECtHR, the 2022 OECD Declaration and the DPF itself.
Finally, the memorandum probes for specific situations where the DPF protections may exceed European practice, while the Reynders letter emphasizes the over-arching principles in the EEGs. Taken together, the memorandum and the letter provide official descriptions of these complex national security and privacy issues, and are thus helpful reading for those anticipating possible legal challenges to the newly-approved DPF.
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.