The inadequacy of the US Executive Order on Enhancing Safeguards For US Signals Intelligence Activities

After the successive debacles over previous EU–US personal data flow arrangements, the EU and US authorities announced in March 2022 they had reached a new “political agreement” on data transfers. The first concrete result is the Executive Order (EO) On Enhancing Safeguards For United States Signals Intelligence Activities, published by the White House on 7 October.

The new EO does not change the fact the US authorities insist on carrying out indiscriminate, untargeted mass surveillance, also of EU persons and EU governmental and non-governmental entities, by means of bulk collection of data, without independent substantive judicial oversight or effective redress.

Specifically, the analyses show (expanded on in detail in the full paper below):

1. The Presidential Executive Order is not clear or precise or foreseeable in its application, and can be secretly amended by the president. It does not have the “quality of law” required under European human rights standards.
2. The purposes for which the Presidential Executive Order allows the use of signals intelligence and bulk data collection capabilities are clearly not limited to what the EU Court of Justice regards as legitimate national security purposes. From the EU legal perspective, this is a lethal defect in the new regime that is fundamentally incompatible with the EU Charter of Fundamental Rights.
3. “Bulk collection” as practiced by the USA (in close cooperation with the UK and the other “Five Eyes” countries, Australia, Canada and New Zealand), is by definition indiscriminate; it is not limited to data that has some link, even indirectly, to any serious threat or known person. It refers to what the Court of Justice of the EU calls the collection of data “on a generalised basis”. Only after (bulk) collection is there an attempt to filter out data that are not relevant, necessary or proportionate to the relevant objective.

Moreover, the Presidential Executive Order does not limit signals intelligence generally, and indiscriminate bulk collection of personal data including e-communications content and metadata specifically, to what is considered “necessary”, “proportionate” and “legitimate” in relation to national security under EU law.

In particular:

• The EO does not stand in the way of the indiscriminate bulk collection of e-communications content data that the EU Court held does not respect the “essence” of data protection and privacy and that therefore, under EU law, must always be prohibited, even in relation to national security issues (as narrowly defined);
• The EO allows for indiscriminate bulk collection of e-communications metadata outside of the extreme scenarios in which the EU Court only, exceptionally, allows it in Europe; and
• The EO allows for indiscriminate bulk collection of those and other data for broadly defined not national security-related purposes in relation to which such collection is regarded as clearly not “necessary” or “proportionate” under EU law.
• The oversight system created by the Presidential Executive Order is neither “wholly autonomous” nor “free from hierarchical constraint”; its judges are appointed for only four years and can be removed by the US President at will; and the President can overrule its decisions (even in secret). The system does not meet the European Article 47 CFR standards of independence and impartiality.
• The redress system for individuals who may be affected by US surveillance is not “effective” or “fair” in terms of the EU Charter of Fundamental Rights. It is essentially secret, grants the individuals nothing that approaches “equality of arms”, and the “judgment” (the outcome of the process) is not made public or available to the complainant (the “boilerplate” prescribed responses cannot be regarded as the judgment). Individuals who have been under surveillance but not found to be implicated in any of the threats covered by the EO are never informed of this, not even if this informing would not jeopardise an ongoing investigation. And the redress system does not cover at all US surveillance by means of data bought by the USA from private companies (or accessed by the US agencies under arrangements with such companies). In sum: the redress system, too, does not meet the European Article 47 CFR standards on fair and effective redress.

Overall conclusion

In my opinion, given the above many clear and serious defects, it should be inconceivable that the European Commission would issue yet another positive adequacy decision on the USA, based on yet another inadequate system of regulation of and oversight over US signal intelligence and bulk data collection. However, history shows that the Commission tends to try and issue such decisions in spite of such defects, presumably for trading and political reasons. Yet another judicial debacle – “Schrems III” – should surely be avoided.

Hopefully, the European Parliament and civil society will forcefully speak out against this attempt to endorse yet another fundamentally flawed and inadequate arrangement.

One final thought

As US legal analysts Elizabeth Goitein and Ashley Gorski also rightly argue, what is needed in the USA is fundamental reform of surveillance laws and practices, to provide full and proper protection against undue surveillance to US and non-US persons alike.

But I should also recall what Ian Brown and I already argued in our 2021 study for the European Parliament:

[t]he EU institutions and in particular the European Parliament should stand up for the rule of law and demand that both the Member States and third countries bring their intelligence practices and domestic law frameworks fully in line with international human rights law.

Until the surveillance laws and practices of the EU Member States – and the UK – are also brought in line with fundamental European human rights principles – which they currently manifestly are not in many Member States and the UK – it will always be politically difficult for Europeans to argue against the inadequacies of US law in this respect. The fact that all Western European countries are party to the European Convention on Human Rights is not sufficient in this regard: it takes years to challenge wrongful practices and the Convention enforcement system remains weak. Even in countries in which the Convention can be directly invoked and applied by the domestic courts, it remains extremely difficult to change the engrained human rights-unfriendly attitudes and approaches of the intelligence agencies.