Appointing a Data Protection Officer (DPO) is a significant step in ensuring compliance with data protection regulations. However, this appointment does not absolve the company of its compliance responsibilities. In reality, the role of the officer is to guide and advise, not to shoulder the entire burden of compliance. As DPO for companies around the world, TechGDPR has a defined DPO program to review documentation, conduct training and audits. Although other DPOs may adopt a different approach, the company must remain engaged. Companies must work closely with the DPO to stay informed and ensure adherence to data protection laws. Ultimately, the liability for data protection remains with the company, making active involvement, continuous collaboration and oversight essential. This article explains the necessary company involvement once the DPO is appointed and the collaborative efforts required to maintain compliance.

Active company involvement in DPO activities

Time involvement

When a company appoints a DPO, it must be prepared to invest time into maintaining compliance. Compliance is not only a state to aim for, but must also be maintained. Compliance does not stop at appointing one. The DPO, while knowledgeable and skilled, cannot single-handedly ensure the company’s adherence to data protection laws. Regular meetings between the DPO and company leadership are essential to address open and emerging compliance issues. 

Reasonable time involvement for regular meetings might range between 30 minutes to an hour every 2 weeks or monthly. This depends on the size, the industry of the company and the number of persons involved. Other activities such as training and compliance audits will require 2 to 10 hours respectively. This will depend on the training needs of the company and scope of the audit. Without this active involvement, the DPO will lack the insights necessary to effectively manage data protection risks. Furthermore, a fast evolving regulatory landscape requires continuous monitoring and adaptation. By dedicating time to collaborate with their DPO, companies can anticipate and mitigate potential adverse impacts on business operations. This proactive approach not only protects the organisation but also builds trust with customers and stakeholders. Ultimately, the time invested in supporting the DPO is an investment in the company’s reputation and long-term success.

Team involvement

Companies should plan, resource and facilitate the involvement of relevant team members to support DPO efforts. This involvement is vital because data protection is an organisation-wide responsibility extending beyond the DPO expertise. By engaging various departments such as IT, HR, legal, and marketing, companies ensure comprehensive coverage of its operations. Each department handles different types of data and is responsible for specific processing activities. This makes department-specific participation vital in data mapping (Article 30 of the GDPR), identifying risks and implementing effective safeguards. Collaboration fosters a culture of data protection awareness, helping to embed compliance into the company’s daily operations. Moreover, involving team members allows for more efficient and timely responses to compliance issues. This is better than making all communication flow mandatorily through one single person in the company. Such collective effort minimises the risk of a single point of failure. It also ensures that the DPO is able to maintain actual oversight of company operations.

Information & documentation

A DPO cannot function efficiently without the full cooperation of a company. Companies must be prepared to provide comprehensive information and documentation to support DPO efforts. This includes information about data processing activities, access to internal policies, and records of data breaches, details about data subjects, the purpose of data processing, data retention periods, data breaches or security incidents, as well as other documentation and systems relevant to data protection compliance. This is crucial because the DPO relies on accurate and up-to-date information to assess compliance with data protection laws effectively. By providing information, companies empower their DPO to conduct thorough assessments, identify potential compliance issues, implement appropriate safeguards and offer sound advice on mitigating risks. Additionally, proper documentation supports the DPO in demonstrating compliance to regulatory authorities, which can protect the company during audits or investigations. Open communication and information sharing are essential for ensuring ongoing compliance and mitigating potential legal and reputational damage. Ensuring the DPO has all necessary information and documentation not only aids in compliance but also enhances the company’s overall governance and trustworthiness. Since DPOs are bound by confidentiality, companies may safely share information.

Adequate resourcing

Article 38(2) of the GDPR states that organisations are required to provide the DPO with the necessary resources to carry out their tasks and maintain their expert knowledge. This includes allocating a sufficient budget and access to the highest management level ensuring that the DPO is consulted before making key-decisions. Without these resources, the DPO cannot effectively monitor compliance, conduct audits, or provide essential training to employees. Inadequate support undermines the DPO’s ability to fulfil their regulatory duties.

According to the EDPB (formerly known as Working Party 29) Guidelines on Data Protection Officers, the following resources should be provided to the DPO:

• active support of the DPO’s function by senior management;
• sufficient time for DPOs to fulfil their tasks;
• adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate;
• official communication of the designation of the DPO to all staff;
• access to other services within the organisation so that DPOs can receive essential support, input or information from those other services;
• continuous training.

Ensuring proper resourcing is not only a legal obligation but also a strategic investment in the company’s data protection framework. Failing to properly resource can lead to compliance risks and potential penalties for the company.

Responsiveness

Open communication is important for a successful relationship with the DPO. Responsiveness on the company’s part ensures that the DPO has timely access to requested information and resources, enabling them to fulfil their duties accurately. Companies must be responsive to the DPO’s requests for information, data, or support. This includes timely response to emails, attending meetings, participating in data protection compliance audits, training, etc. By promptly addressing the DPO’s requests, companies support in identifying and mitigating their potential compliance risks. Ignoring requests or delaying responses to the DPO can lead to oversight, lapse of statutory deadlines and non-compliance e.g. failing to acknowledge or fulfil a data subject request, or notifying the supervisory authorities of a reportable data breach. This exposes the company to significant legal and financial risks. Therefore, maintaining a proactive and supportive relationship with the DPO is crucial for upholding data privacy standards and protecting the company’s interests.

Ensure active engagement with your DPO

In summary, appointing a DPO is only a part of a company’s compliance journey. True compliance requires the company to commit time, involve team members, provide necessary information and documentation, allocate adequate resources and respond in a timely manner to requests. While the DPO offers valuable advisory and oversees compliance activities, the ultimate responsibility for compliance will always rest with the company. So, when unsure how to interact with your DPO after appointing one, make sure to ask and clarify the expected staff involvement in your organisation. Active involvement and continuous support for the DPO are essential to maintaining data protection compliance. By embracing these responsibilities, companies can ensure they not only meet regulatory requirements but also uphold the highest standards of data privacy and security.

The post What to do after appointing a DPO appeared first on TechGDPR.

Crucial to AI Act is that organisations using high-risk AI systems must conduct a comprehensive Fundamental Rights Impact Assessment (FRIA). This assessment proactively identifies and mitigates potential harms to individuals. Notably, the FRIA shares similarities with the Data Protection Impact Assessment (DPIA) mandated under the GDPR. This underscores the intersection of data protection and fundamental rights in the context of AI systems.

What is a Fundamental Rights Impact Assessment (FRIA)?

While the EU AI Act does not expressly define the FRIA, it explains what the objective of the assessment is. The Act also states what the assessment must contain. Recital 96 of the AI Act states that “The aim of the fundamental rights impact assessment is for the deployer to identify the specific risks to the rights of individuals or groups of individuals…”. Moreso, the FRIA helps to “identify measures [to take] in the case of a materialisation of those risks”. Orgnaisations must conduct the FRIA “prior to deploying the high-risk AI system”. They are also required to update it “when ... any of the relevant factors have changed”.

In other words, a FRIA is an evaluation of the risks high risk AI systems present in relation to individuals’ rights. It is also the determination of remediation strategies to manage and mitigate the risks in case they occur.

What should a Fundamental Rights Impact Assessment contain?

According to Article 27(1) of the EU AI Act, the Fundamental Rights Impact Assessment should contain the following information:

Interestingly, Article 27(4) of the EU AI Act states that if organisations meet “any of the obligations laid down in this Article […] through the data protection impact assessment conducted pursuant to Article 35 of [the GDPR]…, the fundamental rights impact assessment referred to in paragraph 1 of this Article shall complement that data protection impact assessment”. Essentially, the fundamental rights impact assessment should complement the data protection impact assessment.

Intersection between Fundamental Rights Impact Assessment and Data Protection Impact Assessment

Article 35 of the GDPR states that a DPIA evaluates the impact of processing operations on the protection of personal data. This is especially where the processing operations make use of new technologies and is likely to result in a high risk to the rights and freedoms of natural persons. Based on this, it appears that the FRIA and DPIA relate to the impact, rights and protection of personal data for high risk AI systems and high risk processing operations respectively.

The table below offers a quick overview of the minimum information requirement for the FRIA and DPIA:

FRIA and DPIA in practice

The minimum requirements for FRIA and DPIA differ. Although in practice, both assessments often include additional information, making them quite similar. For example, Article 35 of the GDPR does not mandate the inclusion of data subject categories in the DPIA. However, organisations logically include such details to identify risks to individuals’ rights and freedoms. Similarly, the EU AI Act does not explicitly require the purpose and proportionality of processes in the FRIA. Yet organisations naturally include them when describing the processes and the necessity of the AI system.

What are the differences?

The major difference between the Fundamental Rights Impact Assessment and the Data Protection Impact Assessment is their focus point. The FRIA focuses on how the AI system directly impacts the rights of individuals. The DPIA focuses on how the processing operation impacts the protection of personal data and the rights of individuals.

The table below provides an overview of the major differences between the FRIA and the DPIA:

Summary

The major takeaway is that the Fundamental Rights and Data Protection Impact Assessment play a complementary role. At least, this is the intent of the EU AI Act according to Article 27(4). Therefore, organisations deploying high risk AI systems processing personal data, will have to conduct both assessments. If your organisation is a provider of high risk AI systems, there is no requirement to conduct the FRIA. However, providers must make information available to deployers of the AI system to make the conduct of the FRIA possible. This is because a substantial part of the assessment relies on the information presented by AI providers.

Given that the EU AI Act is new, organisations may struggle with identifying their role in the AI value chain. Orgnaisations may also struggle to comply with requirements based on that role. At TechGDPR, we assess your processing operations, the information provided by AI providers as well as the envisaged implementation of the AI system to help determine what requirements apply under the EU AI Act. We can help you correctly classify the AI system(s) your organization plans to manufacture or deploy, ensuring early detection of any outright prohibitions. This will prevent your organisation from wasting valuable resources on systems not allowed within the EU.

The post Difference between Fundamental Rights Impact Assessment & Data Protection Impact Assessment appeared first on TechGDPR.

The deadline pertains to the validity of old EU standard contractual clauses (SCCs) issued by the European Commission under the previous Data Protection Directive (the old EU SCCs). Note that the EU has also replaced the old EU SCCs and the last month of their validity was December 2022. If your organisation relies on these clauses for restricted transfers in the UK, they are no longer valid for restricted transfers after March 21, 2024. The ICO has issued 2 sets of standard data protection clauses for restricted transfers under the UK GDPR. Organisations must either enter into a new contract based on the International Data Transfer Agreement (IDTA) or annex the Addendum provided by the Information Commissioner’s Office (ICO).

Standard data protection clauses are pre-approved contracts that organisations can use to ensure personal data transferred outside the UK receives adequate protection.

How to determine if this deadline affects your organisation in the UK

If your organisation transfers personal data outside the UK (restricted transfers), you need to act now if you were previously relying on the old EU SCCs. These old SCCs are no longer valid for restricted transfers under UK GDPR after March 21, 2024.

1. Assess your current restricted data transfers

Review your organisation’s current data transfer practices to ascertain whether they involve restricted transfers under the UK GDPR. Do you transfer personal data from the UK to countries outside the UK? If yes, were you previously relying on old EU SCCs approved under the Data Protection Directive for these transfers? Did you answer yes to both questions, then you need to switch to the International Data Transfer Agreement (IDTA) provided by the ICO. If you answered no to the second question, you may not need to take further action.

Note that in the UK, if you currently rely on the new EU SCCs adopted in June 2021, it is not necessary to sign the IDTA; the ICO allows you to annex the Addendum to your existing EU SCCs. However, if the SCCs are old, you will have to stop relying on them completely.

2. Evaluate existing Agreements

Determine when your organisation entered into the contracts. Contracts entered into under the Data Protection Directive are valid only until March 21, 2024, after which any transfer of personal data out of the UK under such Agreements will most likely constitute an illegal transfer of data.

As an indication, the new EU SCCs were adopted in June 2021, therefore any EU SCC document dated before that would be the old version.

The ICO restricted transfers deadline affects my organisation, what can I do?

The UK Information Commissioner’s Office (ICO) offers two options for compliant data transfers after March 21, 2024.

Organisations in the UK can choose to do either of the following:

1. Use the UK International Data Transfer Agreement (IDTA)

This Agreement is specifically designed for restricted transfers under the UK GDPR.

2. Use the UK Addendum with the new EU SCCs

This option allows you to leverage the new EU SCCs (adopted in June 2021) but requires an additional agreement (the Addendum) to ensure compliance with UK GDPR. If your organisation relies on the new EU SCCs, it will need to annex the Addendum to comply. It will not need to enter into an entirely new agreement. Before annexing the UK Addendum to previously signed SCCs, ensure to check with the other contracting party or parties. This ensures that they are aligned on the additional obligations introduced by the UK Addendum.

3. Conduct a Transfer Risk Assessment:

Regardless of the option you choose, you must conduct a transfer risk assessment. This assessment evaluates the potential risks to personal data in the recipient country. This is a requirement by the ICO.

Conclusion

It is essential for organisations to act proactively. Doing this prevents disruptions in data transfers and potential non-compliance with data protection laws. Not sure about how the required changes impact your organisation or need assistance in navigating the required changes? Get in touch with us. We can carry out a quick assessment and design custom-made solutions to align your organisation with the ICO’s directive.

Generally, we can help your organisation stay ahead of compliance requirements and safeguard the integrity of data transfers in accordance with UK data protection laws.

In summary…

• Review your data transfer practices. Identify all instances where you transfer personal data from the UK to countries outside the UK.
• Determine if you were using old EU SCCs for these transfers.
• If the deadline applies to you, explore the IDTA and Addendum options.

The post UK Restricted Transfers: Standard data protection clauses by the ICO appeared first on TechGDPR.

Who is a DPO?

According to GDPR Art. 39, the data protection officer is responsible for:

• advising the controller or processor about their obligations under the GDPR and monitoring compliance with the same;
• awareness-raising and training of staff involved in processing operations and related audits;
• cooperating with, and acting as contact point for the supervisory authority on issues relating to processing.

According to article 38.3 of the GDPR, the DPO shall report directly to the top management of the controller or processor. Article 38.3 further states that the DPO must not receive instructions from the controller or processor regarding the exercise of its statutory tasks. The DPO shall not be dismissed or penalised for performing its tasks.

Based on the foregoing, a DPO is an independent officer reporting to top-level management of an organisation and responsible for monitoring compliance with, and advising on applicable data protection laws within that organisation.

A DPO can either be a qualified individual or an organisation. According to article 37.6 of the GDPR, a DPO may fulfil its tasks on the basis of a service contract. The Article 29 Working Party (WP29) further explains that a service contract may be concluded with an organisation for DPO services. In this case, individual skills can be combined so that several individuals, working in a team, may efficiently serve their clients. Such organisations offer DPO as a service.

Does my organisation need a data protection officer?

The office of the DPO is a statutory creation. Having looked at its tasks, you might ask- do I need one? Article 37 of the GDPR states that controllers and processors shall designate a DPO. Interestingly, it provides instances where a DPO must be appointed, but not where it is not necessary to do so. According to article 37 GDPR, appointment is necessary where:

1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.

However, GDPR Article 37.4 states that in all other instances, a organisation may voluntarily appoint a DPO or do so if required by member state law. 

Section 38 of the German Federal Data Protection Act (BDSG) provides that the controller and processor shall designate a data protection officer if:

• they constantly employ, as a rule, at least 20 persons dealing with the automated processing of personal data;
• the controller or processor undertake processing subject to a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679;
• they commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research, […] regardless of the number of persons employed in the processing. 

Misconception:

Every German business needs to appoint a DPO.

Clarification

Under the BDSG in Germany, your business must appoint a DPO if it:

• employs at least 20 persons;
• carries out the automated processing of personal data or processing subject to a data protection impact assessment;
• commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research. 

Under the GDPR, organisations need to appoint a DPO if:

• they are a public authority or body, except for courts acting in judicial capacities;
• their core activities consist of processing which require regular and systematic monitoring of data subjects on a large scale;
• their core activities consist of processing special categories of data on a large scale or personal data relating to criminal convictions and offences.

Can I appoint an employee within my organisation as DPO?

Misconception

Anyone with the relevant knowledge within my organisation can be its DPO.

Clarification

According to article 37.6 of the GDPR, the DPO may be a staff of the controller or processor. A DPO may also fulfill the task on the basis of a service  contract. However, article 38.6 states that an organisation must ensure that the duties of its DPO do not result in a conflict of interests. Article 38.3 states that the DPO shall:

• not receive instructions regarding the exercise of its tasks;
• not be dismissed or penalised for performing its tasks;
• directly report to the highest management level.

Conflict of interest

A conflict can arise where, the DPO also determines the means and purposes of the processing of personal data. For instance; a Chief Information Security Officer will often implement measures to secure data, eg. establishing access controls. Steps taken towards securing data can also qualify as processing e.g. the pseudonymisation and encryption of data. Therefore, it would create a conflict of interest where the Officer determines the means of processing, and as DPO, also has to reach a conclusion that the means of processing is  non-compliant with the GDPR.

In September, 2022, the Berlin Supervisory authority issued a fine of €525,000 to an e-commerce company. An employee in a managerial position was appointed as DPO. The company appointed a data protection officer who was to independently monitor decisions he had taken  in a different capacity. The Authority stated that a data protection officer cannot both monitor compliance with data protection law and co-decide about it. Such self-regulation contradicts the independent function of a DPO supposed to be responsible for data protection compliance within the company.

The WP29 in its Guidelines on Data Protection Officers (DPOs) states that ‘… conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing’. 

Measures to avoid DPO conflict of interest within an organisation

Controllers and processors can put measures in place to avoid conflict of interest when appointing an internal DPO. The WP29 provides a list of measures in its Guidelines on DPOs; however, the list is not exhaustive. Organisations should continue to avoid conflicts of interest by any means necessary. The measures offered by the WP are that organisations should:

• identify the positions which would be incompatible with the function of DPO;
• draw up internal rules to this effect in order to avoid conflicts of interests. Drawing up rules helps management stick by them;
• include a more general explanation about conflicts of interests
• declare that their DPO has no conflict of interests with regard to its function as a DPO, as a way of raising awareness of this requirement;
• include safeguards in the internal rules of the organisation and ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed […]. In this context, it should also be borne in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally

Summary

The GDPR specifically provides for the office, appointment, position, tasks and duties of a DPO. Whether or not you need one will depend on factors stated in the GDPR. It will also depend on the respective applicable national data protection laws. When appointing an employee as your DPO, it is also important to assess the possibility of a conflict of interests. Internal DPOs are more prone to conflict of interests since they are saddled with other tasks in the organisation. Organisations should be mindful of how tasks will prove incompatible with the independent oversight of the DPO.

No specific section of the GDPR deals with the liabilities of a DPO around ensuring compliance. This is because controllers and processors are liable for non-compliance at all times. Understandably, an officer who is able to execute their tasks without fear is more likely to act independently. In addition, because DPOs do not make management decisions or determine the means and purposes of processing, they could not possibly be liable for those decisions. According to the Guidelines of WP29, a DPO could still be dismissed legitimately for reasons other than for performing his or her tasks as a DPO (for instance, in case of theft, physical, psychological or sexual harassment or similar gross misconduct). 

If you would rather appoint an external DPO or need help in determining whether to appoint one, contact us for a tailored assessment.

The post Misconceptions about the role of a Data Protection Officer (DPO) appeared first on TechGDPR.

With the introduction of the GDPR in 2018, data protection has become a popular topic both from a legal and technical perspective. The importance of efforts around privacy and data protection is personal data and its protection. Under the EU GDPR, there are key elements in the definition of personal data. 

Personal data is any information relating to an –

Article 4 of the EU GDPR mentions some examples of personal data in its definition (Art.4.1). It states that personal data could be ‘ […] an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. Based on the definition of personal data and the examples stated in the EU GDPR, it may easily be inferred that technical information relating to hardware constitutes personal data, something that the new e-Privacy Regulation is expected to further clarify.

Hardware identifiers

Technical information attributed to hardware could take the form of numeric, alphanumeric or alphabetic codes used to uniquely identify a device or a batch of devices alone or within a network; for instance, the serial number of a device, the IMEI number, model number, MAC address, etc. Serial numbers are unique and assigned by a manufacturer to a device. This device could be a mobile phone, a television, a tablet, audio/video equipment, etc. According to guidance from Samsung, Serial numbers help manufacturers organise and keep track of their products. The IMEI (International Mobile Equipment Identity) number is a number that uniquely identifies a mobile communication device and no two mobile devices have the same IMEI. The IMEI number can be described as the digital fingerprint of your device. The model number is used to identify what type of device you have and applies to a number of devices that share something in common such as the manufacture or release year. While the model number is a hardware identifier, it is not unique to a device as multiple devices can have the same model number.

How can hardware identifiers be personal data?

Since these various numbers are merely hardware identifiers, how could they also be personal data? Of particular interest is the IMEI number which is often seen as the digital fingerprint of your device. Taking the definition of personal data and the IMEI number into account, the IMEI number becomes personal data as soon as it is associated with a person. Consequently, the IMEI number of a smartphone would not be regarded as personal data until it is purchased. However, when a person purchases the smartphone and activates it – which often leads to providing personal details such as name, email address, password or biometrics, i.e. opting for face ID unlock, the IMEI number becomes personal data as it is now linked to other information from the owner/user of the smartphone. 

At this point, the individual elements of the definition of personal data become important. Since personal data refers to information relating to an identified or identifiable person from direct or indirect inference, when various data points are capable of identifying a person, any data being combined with personal data, in turn, becomes personal data.  

Practical examples

Section 171 and 172 of the European Data Protection Board (EDPB) Guidelines on processing personal data in the context of connected vehicles and mobility related applications, states that when a person’s smartphone is paired with the dashboard of a rental car while using Bluetooth or USB connections, a variety of data is processed by the rental car. These might include phone identifiers, voice and data communications, contact lists, web browsing data, personal contacts, schedules, choice of music, radio and other streamed audio or video content, which all reveal personal information. As such, they help draw a precise profile of the data subject. Since IMEIs are being used to lock devices to carriers, blacklist lost or stolen phones, track the location of a smartphone, it is obvious why the IMEI number of a device should be considered as personal data after its purchase and subsequent activation. In addition, Law enforcement agencies routinely use IMEI numbers to track down criminals as well as for other forensic purposes. The use of IMEI numbers to track individuals makes a good case for why the IMEI number is personal data as soon as it becomes associated with a person by purchase, activation or however else. 

This conclusion also applies to all other hardware identifiers which are unique to the device and through which the device or its user may be traced. 

What can I do if I process IMEI numbers in the course of my business operations?

When considering whether your business processes personal data in the form of hardware identifiers, a number of factors are to be taken into account such as whether these identifiers become linked to a person through the purchase of a device, its activation or use. If you are unsure whether such identifiers constitute personal data, request a more detailed assessment from TechGDPR and its experienced consultants who will take your unique business operations into consideration and tailoring your compliance solutions.

The post Hardware identifiers: Is an IMEI number personal data? appeared first on TechGDPR.

On 7th October, 2022, President Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO) in order to oversee that the obligations of the US under the EU-US Data Privacy Framework are carried out. The EO is divided into 5 sections consisting of general provisions, definitions, purpose, redress mechanisms and activities of Signals Intelligence.

For the purpose of this document, significant provisions of the EO will be highlighted. To clearly understand the provisions, it is important to first understand what signals intelligence means. Signals intelligence describes a form of intelligence gathering by intercepting electronic signals. In the context of the US, signals intelligence involves collecting foreign intelligence from communications and information systems and providing it to customers across the U.S. government, such as senior civilian and military officials. They then use the information to help protect our troops, support our allies, fight terrorism, combat international crime and narcotics, support diplomatic negotiations, and advance many other important national objectives. 

Legitimate objectives for signal intelligence

Signal intelligence will not be carried out randomly. According to section 2.b.i.A, this type of intelligence is to be carried out only for the following reasons –

1. To assess the capabilities or activities of a foreign government/military/political organization or any entity acting on its behalf in order to protect the national security of the USA and its allies/partners.
2. To assess the activities of international terrorist organisations that pose a current or potential threat to the national security of the US or allies and partners.
3. To assess transnational threats impacting global security such as climate change, public health risks, humanitarian threats, political instability and geographic rivalry
4. To protect against foreign military capabilities and activities
5. To protect against terrorism, taking of hostages conducted by or on behalf of a foreign government
6. To protect against espionage
7. To protect against threats from the development and proliferation of weapons of mass destruction conducted by or with the assistance of a foreign government, organization or person.
8. To protect against malicious cybersecurity threats.
9. To protect against threats to the personnel of the US or its allies or partners
10. To protect against transnational criminal threats including illicit finance and sanctions evasion related to any of the objectives stated in this list.
11. To protect the integrity of government property, US physical and electronic infrastructure and political processes such as elections from activities conducted by a foreign government, organization or person.
12. To advance operational capabilities in order to further any of the reasons stated in this list.

Prohibitions to the conduct of signal intelligence activities. 

The exceptions to signal intelligence objectives are found in section 2.b.i.B of the EO:

1. Suppression of criticism or the free expression of ideas or political opinions
2. Suppression or restriction of legitimate privacy interests
3. Suppression or restriction of the right to legal counsel
4. Discrimination of persons based on ethnicity, race, gender, gender identity, sexual orientation or religion.

It is further stated in the EO that collection of foreign private commercial information or trade secrets to afford a competitive advantage to US companies or the US business sector is not a legitimate objective and therefore, can only be conducted with authorisation and in order to protect the national security of the US or its allies or partners.

The EO provides thus “Signals intelligence collection activities shall be as tailored as feasible to advance a validated intelligence priority and, taking due account of relevant factors, not disproportionately impact privacy and civil liberties.  Such factors may include, depending on the circumstances, the nature of the pursued objective; the feasible steps taken to limit the scope of the collection to the authorized purpose; the intrusiveness of the collection activity, including its duration; the probable contribution of the collection to the objective pursued; the reasonably foreseeable consequences to individuals, including unintended third parties; the nature and sensitivity of the data to be collected; and the safeguards afforded to the information collected.”

With respect to bulk collection of signals intelligence, the EO states that when it is determined that bulk collection is necessary to advance a validated intelligence priority, reasonable methods and technical measures shall be applied to limit the data collected to only what is necessary in order to achieve legitimate objectives.

Handling of personal information collected through signals intelligence

The EO also provides for handling of personal information collected through signals intelligence. Elements of the intelligence community handling personal information shall ensure that policies and procedures are put in place to minimize the dissemination and  retention of personal information. The provisions on retention of personal information provides equal level of protection to ‘non-United States persons’ as with United States persons. For instance, under ‘Retention’ in section 2.c, the Intelligence community “shall delete non-United States persons’ personal information collected through signals intelligence that may no longer be retained in the same manner that comparable information concerning United States persons would be deleted.”

With respect to data security and access, appropriate protection and the prevention of unauthorized access consistent with applicable safeguards for sensitive information in relevant EOs and Directives are to be ensured.

Worthy of note is the savings clause in section 2.e which states that nothing in the EO shall be construed to limit any signals intelligence collection technique under the Foreign Intelligence Surveillance Act of 1978 as amended (FISA). It should be remembered that one of the considerations for the invalidation of the privacy shield framework was section 702 of FISA. This allowed for surveillance of electronic communication service providers which term is commonly broadly interpreted by the American courts.

Redress Mechanism

Section 3 of the EO provides for the establishment of a process for the submission of qualifying complaints from qualifying states for any covered violation of US law, appropriate remediation where and if necessary, investigation, the establishment of a Data Protection Review Court (DPRC). The designation of qualifying state is dependent on a number of factors under section 3.f.i of the EO, one of which is that the country, regional economic integration organization or its member countries permit or intend to permit the transfer of personal information for commercial purposes between the territory of the country or member countries and the territory of the US. This means the application of the principle of reciprocity. The designation of qualifying state can also be revoked if the countries or member countries do not permit the transfer of personal information for commercial purposes between the countries and the US.

What does this mean for EU-US data transfers?

You are probably wondering how this impacts your business operations and EU-US data transfers. The EO brings a ray of hope as it promises an ease in data flows between the EU and the US. What is important to keep in mind, however, is that an Executive Order in the USA is just that and has no direct effect on EU territory. It is for this reason that the European Commission has published a Q&A on the EU-US data Privacy Framework. 

In this publication, it is stated that the European Commission will take steps to propose a draft adequacy decision and launch the procedure for its adoption. The final adequacy decision will only be adopted after scrutiny by the European Parliament and after which there should be a free and easy EU-US data transfers between the EU and US companies that have been certified by the Department of Commerce under the new framework. 

Until these formalities have happened, nothing is required from businesses in the EU. If you hope to commence data transfers to the US, note that an adequacy decision is not the only way to achieve this. One mechanism adopted by the European Commission for international data transfers is the use of modernized standard contractual clauses which businesses can include in their commercial contracts. In the future, the European Commission has stated that all the safeguards that the Commission has agreed with the US Government in the area of national security (including the redress mechanism) will be available for all transfers to the US under the GDPR, regardless of the transfer tool used.

Summary

Undoubtedly, the EO appears to be a laudable effort in creating an environment of trust for EU-US data transfers. For instance, the establishment of a Data Protection Review Court is a progressive step because it provides a redress mechanism for so-called qualifying complaints from qualifying states. According to the White House, the provisions of the EO are intended to provide a basis for the European Commission to adopt a new adequacy decision aimed at restoring an accessible and affordable data transfer mechanism under EU Law. 

Despite being a commendable effort, the EO gives with a hand and takes with the other. The savings clause states that the EO does not limit any signals intelligence collection technique authorized under the Foreign Intelligence Surveillance Act (FISA) amongst other laws. 

Furthermore, the process for lodging a qualifying complaint appears cumbersome, especially for non-US persons. This is because the CLPO  will have to first review the complaints and inform the complainant through the appropriate public authority in the qualifying state on whether  a covered violation was identified or not. This means that complainants cannot lodge complaints directly or bring an action before the DPRC. 

After the CLPO has reviewed a complaint, the DPRC (to be constituted by judges selected by the Attorney General in consultation with the Secretary of commerce amongst others) shall further review the decision of the CLPO where necessary. If the complainant applies for a review by the DPRC, an advocate will be selected by the DPRC to advocate regarding the complainant’s interest in the matter (section 3.c.i.E). This brings to mind a latin maxim, nemo judex in causa sua, which means no one should be a judge in their own case. Would an advocate employed by the DPRC really serve the interest of a complainant or that of its master? Time will tell.

The EO is loudly silent on the rights of the complainant. At best, it creates only an ‘[…] entitlement to submit qualifying complaints to the CLPO and to obtain review of the CLOP’s decisions by the Data Protection Review Court[…]’ according to section 5.h. This section clearly states that the Order ‘… is not intended to, and does not, create any other entitlement, right, or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.’

On 13th December, 2022, the European Commission published a draft adequacy decision for EU-US data transfers, thus, signaling the start of the adoption procedure for the EU-U.S. Data Privacy Framework following the US Executive Order. According to the European Commission through its official website, the Commission submitted its draft decision to the European Data Protection Board (EDPB). Afterwards, the Commission will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can proceed to adopting the final adequacy decision.

Summarily, while the Executive Order is a step in the right direction, it still begs the questions about government surveillance and enforceability of data subject rights in the USA. The coming months will present with interesting events as more processes are put in place to comply with this Executive Order and adopt a final adequacy decision for EU-US data transfers. Until then, it is advisable that businesses in the EU maintain the status quo and continue to limit as much as possible data transfers to the US or rely on lawful mechanisms for such transfers.

The post EU-US data transfers: US Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities and the impact on organizational GDPR compliance. appeared first on TechGDPR.