New Executive Order on Signals Intelligence: A Meaningful—but Insufficient—Step Forward

On October 7, President Biden signed an Executive Order which imposes new limitations on U.S. surveillance programs and creates a new redress mechanism for data subjects abroad.[1] This Executive Order is intended to replace the now-defunct Privacy Shield program but is unlikely to satisfy the European Union (EU) legal standards for privacy protections. In particular, the Executive Order has two major weaknesses which will likely form the basis of future challenges under EU law:

• The Executive Order still permits bulk collection of personal data under many circumstances and its purpose limitations are quite broad and subject to revision by the President, raising concerns that they may not effectively restrain misuse of personal data.
• The new redress mechanism, while an improvement over prior frameworks, may not be independent and effective enough for individuals to meaningfully exercise their privacy rights.

More fundamentally, because the new framework is based on an Executive Order and not legislation, it is at risk of dilution—or even dissolution—with each new administration, leading to serious doubts about its stability. A new adequacy determination and a possible Schrems III decision by the Court of Justice of the European Union (CJEU) are a long way off. However, with Section 702’s reauthorization deadline approaching at the end of 2023, the weaknesses of the Executive Order underscore the need for Congress to step in to properly protect privacy rights against government mass surveillance.

I. The United States must ensure adequate protection to enable trans-Atlantic data flows.

The new Executive Order and accompanying DOJ regulations are the latest effort to resolve a protracted conflict between EU and U.S. data protection standards and establish a legal framework for trans-Atlantic data flows. Under the EU Charter of Fundamental Rights, any law enabling the processing of EU citizens’ data rights must be necessary in a democratic society and proportionate to a legitimate objective.[2] EU law also stipulates that processing of personal data should not interfere with the “essence” of the fundamental right to privacy.[3] The EU Charter further provides that anyone whose data rights have been violated must have access to a “fair public hearing within a reasonable time by an independent and impartial tribunal.”[4] EU law only permits transfers of personal data to third countries if they provide an adequate level of data protection, meaning a level that is “essentially equivalent” to those rights guaranteed to EU citizens within the EU.[5]

Adequacy has been a sticking point for EU-U.S. data transfers due to U.S. intelligence agencies’ bulk data collection programs. As opposed to targeted data collection, bulk collection occurs where personal data is collected without being associated with a current target of surveillance or without the use of discriminants (specific limiting criteria such as identifiers or selection terms). Bulk collection programs have long been a concern for European authorities and the CJEU has repeatedly found that the use of bulk collection is almost never justified under the necessary and proportionate standard because it interferes with the “essence” of the fundamental right to privacy.[6]

In response to Edward Snowden’s disclosures of the U.S. government’s bulk telephone and internet surveillance programs, President Obama issued Presidential Policy Directive 28 (PPD-28), which established principles guiding signals intelligence activities and extended certain privacy rights to non-U.S. persons for the first time.[7] Privacy Shield—created in 2016 to replace the Safe Harbor framework invalidated by the CJEU in Schrems I—purported to provide over 5,000 companies with a mechanism by which to transfer EU citizens’ data to the United States in compliance with EU law.[8] To allay CJEU concerns over the lack of redress mechanism under U.S. law for harms arising out of signals intelligence activities, Privacy Shield created a Ombudsperson position at the U.S. Department of State tasked with processing EU citizens’ complaints relating to signals intelligence programs.[9] However, the CJEU in Schrems II found that the protections based in PPD-28 and the Privacy Shield framework still failed to adequately protect EU citizens’ personal data rights.[10] With Privacy Shield invalidated, U.S. and EU officials began negotiating a successor framework to facilitate cross-border data transfers without running afoul of EU law.

The Biden administration Executive Order, which outlines the steps the U.S. government will take to implement the new EU-U.S. Data Privacy Framework (EU-U.S. DPF),[11] places new requirements on the collection and handling of personal information, regardless of nationality of the data subject. In particular, the Executive Order directs that U.S. signals intelligence will: (i) prioritize targeted collection over bulk collection; (ii) permit bulk collection only where the information is necessary to advance a “validated intelligence priority” that cannot be obtained through targeted collection; and (iii) where bulk collection is permitted, use “reasonable methods and technical measures” to ensure that these activities collect only information necessary to achieve those priorities.[12]

The Executive Order also creates a new redress mechanism for individuals claiming their personal information was unlawfully collected under signals intelligence programs. This mechanism—which replaces the former Privacy Shield Ombudsperson mechanism invalidated by the CJEU in Schrems II[13]—includes an initial investigation and determination by the Civil Liberties Protection Officer (CLPO) at the Office of the Director of National Intelligence (ODNI), followed by an option for review by a new Data Protection Review Court (DPRC) within the Department of Justice (DOJ).[14]

Initial reactions from the privacy and civil liberties community have been mixed.[15] While the new Executive Order marks an improvement over the prior PPD-28 framework, it remains lacking in important ways. Here, we focus on several of these shortcomings—the permissiveness of the broad privacy safeguards and lack of a ban on bulk collection; the inadequacy of privacy safeguards, regardless of data subject nationality; and the improved, but still insufficient, redress mechanism. Only time will tell whether these shortcomings prove fatal in a future adequacy decision or a potential Schrems III decision at the CJEU.

II. The Executive Order permits overly broad justifications for surveillance and fails to ban bulk collection.

In Schrems II, the CJEU found that U.S. signals intelligence was not “necessary and proportionate” as required under the General Data Protection Regulation (GDPR).[16] With these concerns in mind, the Executive Order sets forth twelve purpose limitations, as well as several prohibited purposes.[17] While imposing transparent purpose limitations is an important step to ensuring effective oversight, some of the purposes delineated in the Executive Order are overly broad. For example, the Executive Order authorizes signals intelligence activities to:

• “understand[] or assess[] the capabilities, intentions, or activities of” among other foreign entities, “foreign-based political organization[s] [. . .] in order to protect the national security of the United States and of its allies and partners”;[18]
• “understand[] or assess[] transnational threats that impact global security, including climate and other ecological change, public health risks, humanitarian threats, political instability, and geographic rivalry”;[19]
• “protect[] against cybersecurity threats created or exploited by, or malicious cyber activities conducted by or on behalf of, a foreign government, foreign organization, or foreign person”;[20] and
• “protect[] against threats to the personnel of the United States or of its allies or partners[,]”[21] noting that personnel in this case includes any current or former member of the armed forces, any current or former U.S. official, and “any other person currently or formerly employed by or working on behalf of the United States government,” as well as these same categories of individuals as they relate to allies and partners.[22]

Many of these purpose limitations are quite broad. It is also unclear if these purpose limitations meaningfully restrict the use of signals intelligence and bulk collection, rather than merely memorializing the intelligence community’s existing practices. While the Executive Order also restricts the use of bulk collection to a narrower subset purpose limitations, this subset mirrors those purpose limitations laid out in PPD-28, which the PCLOB noted were consistent with the NSA’s existing use of bulk data collection.[23] Although it remains unclear precisely how these purpose limitations map on to existing practices, if the new Executive Order does not meaningfully narrow the circumstances under which bulk collection may be used, it is likely to face significant hurdles in any future challenge at the CJEU.

Further, while these purpose limitations mark some improvement over the opaque foreign intelligence purposes delineated in the existing surveillance framework, the Executive Order notes that these purposes are not necessarily comprehensive and may be updated by the President at any time without public release.[24] This raises the specter of “secret law,” which EPIC and other privacy and civil liberties groups have long decried as antithetical to our democratic system of governance.[25]

More fundamentally, though, while the Executive Order does provide some privacy safeguards, it does not fully restrict the use of bulk collection programs by U.S. intelligence agencies. Therefore, even if stringently applied, these limits are likely to fail under EU legal precedent, under which bulk collection is nearly never justified.[26]

III. Equalizing protections only goes so far.

The Executive Order also grants all persons the same level of protection previously afforded to only U.S. persons. This represents some improvement upon the existing surveillance framework, which has typically differentiated between U.S. persons and non-U.S. persons in establishing privacy protections.

However, equalizing protections between U.S. and non-U.S. data subjects is only effective if those U.S. person safeguards are meaningful. The Intelligence Community operates these programs outside of traditional Fourth Amendment protections, such as the warrant requirement or even the traditional FISA process, which—although flawed in its own ways—provides more case-by-case scrutiny of surveillance activities. Instead, bulk collection programs are subject only to very circumscribed, programmatic judicial review—or no judicial review at all.[27]

In addition to this limited oversight of the initial collection process, there are internal intelligence agency controls on the use and dissemination of personal data. However, as EPIC and other groups have noted, intelligence agencies’ minimization procedures for retaining and disseminating U.S. person information do not adequately protect privacy. For example, most agencies’ default five-year retention limits are not particularly meaningful and leave data available for years without any determination that it has any foreign intelligence value. In other instances, agencies have failed to comply with their own minimization procedures, such as those requiring agencies to purge personal information that has aged off or resulted from incidents of noncompliance.[28] Therefore, while equalizing these safeguards regardless of nationality is a step forward, it still means that EU persons will have a lower standard of data protection than they are legally entitled to.

IV. Still searching for meaningful and effective redress.

Ensuring meaningful redress has proven to be a particularly thorny issue between the U.S. government and EU legal authorities. The CJEU invalidated prior privacy redress mechanisms, such as the Privacy Shield Ombudsperson, because they were not sufficiently independent or effective.[29] This new mechanism—which includes initial review by the ODNI CLPO and secondary review by the DPRC—appears to mark an improvement on both fronts but is still unlikely to pass muster under EU legal standards.

• Independence

Under EU law, individuals whose rights are violated have the right to an effective remedy before an independent and impartial tribunal.[30] The redress mechanism does not need to be a full Article III-style court; some EU member states use quasi-judicial administrative authorities in similar situations. However, in Schrems II, the CJEU found that the Privacy Ombudsperson was insufficiently independent because they reported directly to the Secretary of State, they were appointed by the Secretary of State, and there was no indication that the Ombudsperson was guaranteed sufficient protection against dismissal or revocation of their appointment.[31] The CJEU further emphasized that while the U.S. government committed its intelligence agencies to correct any violation of law identified by the Privacy Ombudsperson, there was no express indication that the Ombudsperson’s decisions were binding on the Intelligence Community.[32]

The new EU-U.S. DPF appears vulnerable to these same criticisms given that both tiers of the new redress mechanism remain fully within the Executive Branch. At the first level of review, the Executive Order emphasizes that the CLPO’s decision is binding on the intelligence community, subject to appeal to the DPRC.[33] Further, the Executive Order states that the ODNI shall not interfere with the CLPO’s review or retaliate against the CLPO for carrying out their duties.[34] Despite these protections and the express stipulation that the CLPO’s decisions are binding on the Intelligence Community, the CLPO—as with the Privacy Ombudsperson—remains within the Executive Branch and subject to direct supervision of the DNI, who oversees the surveillance activities at issue. Therefore, although the Executive Order seeks to address some of the specific criticisms highlighted by the CJEU in Schrems II—namely that the prior Ombudsperson framework did not include any express guarantees against dismissal or revocation of the position[35]—it still fails to set forth a mechanism that is truly independent from the Executive Branch and Intelligence Community.

Similarly, while the DPRC is not subject to the Attorney General’s day-to-day oversight, there are some features that raise independence concerns. First, the Attorney General selects the DPRC judges, in consultation with the Secretary of Commerce, the DNI, and the PCLOB.[36] The particulars of this nomination and selection process are not yet clear. However, given the composition of government agencies charged with choosing DPRC judges, it appears likely that this process would skew toward candidates with prior government experience and less toward candidates with backgrounds in civil liberties.[37] Second, the DOJ regulations note that DPRC judges will be appointed to serve four-year renewable terms and have protections against arbitrary removal.[38] While these explicit protections are important, the regulations do not seem to indicate the existence of safeguards preventing the Attorney General from opting to not renew a judge’s term in response to adverse determinations.[39] Without a more diverse candidate pool and stronger protections against soft firings—such as more robust roles for the PCLOB and other stakeholders in nominating, electing, and re-electing judges—the DPRC may not be sufficiently independent from the rest of the Executive Branch.

• Effectiveness

The GDPR guarantees the right to an “effective judicial remedy” in accordance with Article 47 of the EU Charter.[40] The GDPR also directs that mechanisms for exercising data rights should be simple and should include electronic means where possible.[41] Further, the controller should respond to rights requests “without undue delay and at the latest within one month.”[42]

However, the new redress mechanism may be too complex and too secretive to be meaningfully effective. The Executive Order and accompanying DOJ regulations envision a two-layer redress mechanism, which may be broken down into the following steps:

• First, an individual complainant must file a complaint with the appropriate authority in a qualifying state—in this case, an EU member state.[43] That authority verifies the individual’s identity and makes the initial qualification determination.[44] The public authority in the qualifying state then submits qualifying complaints to the CLPO for review.[45]
• Second, the CLPO reviews the qualifying complaint and, based on that review, provides a summary notice to the complainant.[46] This summary notice neither confirms nor denies that the complainant was subject to U.S. signals intelligence surveillance, merely stating that “the review did not identify any covered violations” or that the DPRC “issued a determination requiring appropriate remediation.”[47]
• Third, the complainant—upon receiving the summary notice from the CLPO or the Intelligence Community element—may appeal to the DPRC for review of the CLPO’s determination.[48]
• Fourth, if a complainant or the U.S. government appeals the determination, the DPRC selects an advocate to argue “regarding the complainant’s interest in the matter.”[49]
• Fifth, the DPRC makes a final determination on whether there was a covered violation, and if so, what remediation is appropriate.[50]

While there is quite a bit that we do not know about the qualifying state process and the interplay between the various authorities, on paper, the mechanism raises serious concerns that it may be too complex to offer individual complainants an effective remedy for violations of their privacy rights. Apart from the number of steps an individual complainant must take to exercise their rights, the process itself is opaque and may complicate complainants’ efforts to appeal any adverse determination. In particular, the summary notice does not include sufficient information to provide complainants with notice to appeal. Upon receipt of the notice, any complainant would be wise to appeal as a matter of right, even where—unbeknownst to the complainant—both the CLPO and the DPRC have found a covered violation and have ordered appropriate remediation. However, given the opacity of the notice itself, a reasonable complainant may not understand whether to file an appeal or not. Further, the complainant’s lack of notice when the Intelligence Community element appeals deprives them of the ability to have their interests adequately represented, even by the Special Advocate.

In addition to its complexity, the redress mechanism does not appear to do enough to ensure that existing barriers to redress do not continue to stymie independent, meaningful efforts to vindicate privacy rights. While the DPRC structure appears to make it easier for complainants to bring claims, it seems to incorporate some of the other major institutional barriers associated with surveillance challenges, including undue deference to national security officials and excessive secrecy.[51]

As in other cases of government mass surveillance, individuals generally lack sufficient information or notice to file claims. The Executive Order does not require complainants to establish that they were in fact subject to surveillance, which has created an significant challenges to establishing standing in litigation in Article III courts.[52] Instead, a qualifying complaint must include the information forming the basis for alleging that a covered violation has occurred; the nature of relief sought; the specific means by which it is believed to have been transmitted to U.S. authorities; the identities of the U.S. government entities believed to be involved in alleged violation (if known); and any other measures complainant has pursued.[53] Given the secrecy with which surveillance programs operate, complainants likely do not have specific information about how and by whom their personal information is collected. Therefore, it is vital that public authorities in the EU making the initial qualification determination do not hold it against complainants that they lack some of these categories of information.

Even where the DPRC process attempts to account for the interests of the complainant, it appears to fall short. Under the DOJ regulations, the DPRC will select a Special Advocate to advocate regarding the complainant’s interest.[54] Notably, though, the Special Advocate will not be the agent of or have an attorney-client relationship with the complainant.[55] Further, in the interest of protecting the confidentiality of these proceedings, communications between the Special Advocate and complainant or their counsel pass through the Office of Privacy and Civil Liberties (OPCL).[56] And, in cases where the IC element appeals, the Special Advocate cannot communicate with the complainant at all.[57] Therefore, the role of Special Advocate—like that of the FISA Court amici—will not be a true advocate for privacy rights.

            Even where a complainant can vindicate their own rights, the remedies under this new redress mechanism are so narrowly tailored that they may not lead to broader reform or redress, even where they reveal systematic issues. The Executive Order authorizes the CLPO and DPRC to issue directives for “appropriate remediation,” which may range from administratively curing violations, deleting data unlawfully acquired or resulting from unlawful queries, restricting access to data, or recalling intelligence reports derived from unlawfully acquired data.[58] However, the Executive Order emphasizes that “appropriate remediation” is limited to the specific complainant and must be “narrowly tailored to redress the covered violation.”[59] Therefore, in a situation where an individual complainant is part of a larger class—say a member of a foreign-based political organization—they may seek and obtain redress, but any systemic violation identified would not necessarily result in remediation. Without more concrete indications that the CLPO and DPRC have the authority to issue broad remediation based on systemic issues, the mechanism cannot adequately protect privacy at scale.

Finally, the new Executive Order and accompanying DOJ regulations do not require, or even allow for, any follow-up oversight by the CLPO or DPRC. Therefore, any reporting on intelligence agencies’ compliance with these new safeguards and with the CLPO or DPRC determinations seems to fall to the PCLOB, which may report on noncompliance but does not itself bind the intelligence community. Therefore, in a hypothetical scenario where the CLPO or DPRC orders an intelligence agency to purge certain personal data and the agency fails to effectively do so—as has happened in the context of the FISC[60]—it remains unclear what, if any, the consequences there are for noncompliance, or even whether any of the above bodies can order the agency to rectify its noncompliance

V. Where we go from here

Next, the European Commission will assess the EU-U.S. DPF and the implementing Executive Order blueprint and make an adequacy determination.[61] This process, which could take several months, likely sets up a new round of legal challenges.

Along with the issues identified above, this new round of litigation is likely to focus on another fundamental weakness of this new framework—its basis in an Executive Order and not in legislation. Without the stability that legislation provides, this new framework may succumb to the whims of future administrations that are more hostile to accountability for surveillance activities. Given these risks, this lack of stability is likely to be a key focus of the next round of litigation in EU courts.

The Executive Order also comes as the Section 702 reauthorization debate begins to take form. Given the need for stable trans-Atlantic data flows and the potential shortcomings in the new EU-U.S. DPF, it is vital that Congress take initiative and codify meaningful privacy protections and redress as part of the newest Section 702 reauthorization, rather than taking a wait-and-see approach to adequacy.

---

[1] Exec. Order No. 14,086 87 Fed. Reg. 62,283 (Oct. 7, 2022) [hereinafter EO 14,086].

[2] Charter of Fundamental Rights of the European Union, art. 52, Dec. 18, 200, 2000 O.J. C 364/1.

[3] Regulation (EU) 2016/679, of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1, art. 23(1) [hereinafter GDPR].

[4] Charter of Fundamental Rights of the European Union, supra note 2, at art. 47.

[5] GDPR, supra note 3, Recital 104.

[6] See Vincent Manancourt, Europe’s State of Mass Surveillance, Politico (July 6, 2022), https://www.politico.eu/article/data-retention-europe-mass-surveillance/ (“In a series of judgments from 2014 onwards, including most recently in late 2021 and early 2022, the CJEU has mostly sided with privacy groups, arguing that blanket data retention isn’t legal — except in some circumstances, with proper safeguards and if there’s a serious threat to national security.”).

[7] See Presidential Policy Directive 28, “Signals Intelligence Activities” § 4 (Jan. 17, 2014) (“PPD-28”).

[8] U.S. Dep’t of Commerce, Privacy Shield Overview, https://www.privacyshield.gov/Program-Overview (last visited Dec. 5, 2022).

[9] U.S. Dep’t of State, Privacy Shield Ombudsperson, https://www.state.gov/privacy-shield-ombudsperson/ (last visited Dec. 5, 2022).

[10] Case C-311/18, Data Prot. Comm’r v. Facebook Ir. Ltd. (Schrems II), ECLI:EU:C:2020:559, ¶¶ 190–201 (July 16, 2020).

[11] EU and U.S. Agree “In Principle” on New Data Transfer Framework, EPIC (Mar. 25, 2022), https://epic.org/eu-and-u-s-agree-in-principle-on-new-data-transfer-framework/.

[12] See EO 14,086 § 2(c)(ii)(A)).

[13] See Data Protection Commissioner v Facebook and Max Schrems (Standard Contractual Clauses), EPIC, https://epic.org/documents/data-protection-commissioner-v-facebook-and-max-schrems-standard-contractual-clauses/ (last visited Dec. 5, 2022) (providing detailed background on the CJEU’s decisions in Schrems I and Schrems II).

[14] See Data Protection Review Court, 87 Fed. Reg. 62,303 (Oct. 14, 2022) (to be codified at 28 C.F.R. 201) [hereinafter DOJ Regulations].

[15] See Elizabeth Goitein, The Biden Administration’s SIGINT Executive Order, Part I: New Rules Leave Door Open to Bulk Surveillance, Just Sec. (Oct. 31, 2022), https://www.justsecurity.org/83845/the-biden-administrations-sigint-executive-order-part-i-new-rules-leave-door-open-to-bulk-surveillance/ (noting the significant steps forward in extending protection and redress to foreign nationals, but emphasizing that the new Executive Order is not sufficiently protective to meet EU legal standards); Ashley Gorski, The Biden Administration’s SIGINT Executive Order, Part II: Redress for Unlawful Surveillance, Just Sec. (Nov. 4, 2022), https://www.justsecurity.org/83927/the-biden-administrations-sigint-executive-order-part-ii/ (detailing why the DPRC redress mechanism—while an improvement over the prior Privacy Shield mechanism—is unlikely to satisfy CJEU review); Greg Nojeim & Iverna McGowan, Transatlantic Data Flows: More Needed to Protect Human Rights, Ctr. for Democracy & Tech. 17 (Oct. 2022), https://cdt.org/wp-content/uploads/2022/11/2022-11-03-CDT-Transatlantic-Data-Flows-More-Needed-to-Protect-Human-Rights-report-2.pdf (concluding that the new EO and DOJ regulations “represent significant steps forward” in protecting foreign nationals, but that the new framework may not be enough to survive a challenge at the CJEU).

[16] Case C-311/18, Data Prot. Comm’r v. Facebook Ir. Ltd. (Schrems II), ECLI:EU:C:2020:559, ¶¶ 178–80 (July 16, 2020).

[17] EO 14,086 § 2(b). These prohibited purposes include “suppressing or burdening criticism, dissent, or the free expression of ideas or political opinions by individuals or the press”; “suppressing or restricting legitimate privacy interests”; “suppressing or restricting a right to legal counsel”; and “disadvantaging persons based on their ethnicity, race, gender, gender identity, sexual orientation, or religion.” Id. § 2(b)(ii).

[18] Id. § 2(b)(i)(A)(1).

[19] Id. § 2(b)(i)(A)(3).

[20] Id. § 2(b)(i)(A)(8).

[21] Id. § 2(b)(i)(A)(9).

[22] Id. § 4(j).

[23] PCLOB, Report to the President on the Implementation of Presidential Policy Directive 28: Signals Intelligence Activities 6 (2018).

[24] See EO 14,086 § 2(c)(ii)(C).

[25] See Letter from EPIC to President’s Intelligence Review Panel (Aug. 29, 2013), https://epic.org/wp-content/uploads/privacy/terrorism/fisa/EPIC-IRP-Ltr-8-13.pdf (emphasizing that the growing body of secret law “makes it difficult for the public to fully evaluate the scope and impact of the intelligence surveillance programs” and is “contrary to values and needs of democratic government”).

[26] See supra note 6.

[27] Foreign Intelligence Surveillance Court (FISC), EPIC, https://epic.org/foreign-intelligence-surveillance-court-fisc/ (last visited Dec. 5, 2022) (describing the FISC’s circumscribed review of Section 702 targeting and minimization procedures).

[28] See, e.g., In re [REDACTED], No. [REDACTED], at 58 (FISA Ct. Nov. 6, 2015) (criticizing the government’s failure to timely purge improperly collected information); In re [REDACTED], Mem. Op. & Order, No. [REDACTED] 87–89, 94–95 (FISA Ct. Apr. 26, 2017), https://www.dni.gov/files/documents/icotr/51117/2016_Cert_FISC_Memo_Opin_Order_Apr_2017.pdf (reprimanding the FBI and CIA for violating their respective purging requirements).

[29] Case C-311/18, Data Prot. Comm’r v. Facebook Ir. Ltd. (Schrems II), ECLI:EU:C:2020:559, ¶¶ 188–91 (July 16, 2020).

[30] Id. ¶ 186–87.

[31] Schrems II, ECLI:EU:C:2020:559, ¶ 195.

[32] Id. ¶ 196.

[33] See EO 14,086 § 3(c)(ii).

[34] See id. § 3(c)(iv).

[35] Schrems II, ECLI:EU:C:2020:559, ¶ 195.

[36] See DOJ Regulations, supra note 13, at 62,305.

[37] Although the judges must not have been government employees within two years of their appointment, the DOJ regulations emphasize the importance of relevant expertise. Id. Further, while the DPRC is not a court in the traditional sense, the DOJ regulations direct the Attorney General to make efforts to ensure that at least half the DPRC judges have prior judicial experience. Id. at 62,305–06.

[38] See id. (directing that DPRC judges cannot be removed “except for instances of misconduct, malfeasance, breach of security, neglect of duty, or incapacity”).

[39] These same concerns apply to Special Advocates, who are selected by the DPRC for two-year renewable terms. See id. at 62,306. It is further unclear whether Special Advocates have any protections against removal during those terms.

[40] GDPR, supra note 4, Recital 141.

[41] Id., Recital 59.

[42] Id.

[43] DOJ Regulations, supra note 13, at 62,304. For the purposes of the new redress mechanisms, complainants must be individual natural persons, not organizations. EO 14,086 § 4(k)(i).

[44] See EO 14,086 § 4(k)(v).

[45] Id.

[46] Id. § 3(c)(i).

[47] Id. § 3(c)(i)(E).

[48] Id. § 3(c)(i)(E)(2).

[49] Id. § 3(c)(i)(E)(3).

[50] Id. § 3(d)(i).

[51] See EO 14,086 § 3(d)(i)(D); DOJ Regulations, supra note 13, at 62,307. Further, the DOJ regulations note that the DPRC panel will interpret the Executive Order—including its references to necessity and proportionality—exclusively according to U.S. law. Id. at 62,307. Interpreting EU legal standards—like those defining “necessary and proportionate”—strictly based on U.S. law risks blessing U.S. surveillance activities and governing frameworks that adhere to the letter—but not the spirit—of these standards.

[52] Christopher Slobogin, Standing and Covert Surveillance, 42 Pepp. L. Rev. 517, 518 (2015) (“Precisely because much modern-day surveillance is covert, this demanding standing test may be impossible to meet. If so, unconstitutional surveillance programs may be immune from judicial review.”).

[53] EO 14,086 § 4(k)(ii).

[54] Id. at 62,306–07.

[55] Id. at 62,307.

[56] Id.

[57] Id.

[58] EO 14,086 § 4(a).

[59] See EO 14,086 § 4(a).

[60] See supra note 27 and accompanying text.

[61] See Questions & Answers: EU-U.S. Data Privacy Framework, Eur. Comm’n (Oct. 7, 2022), https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_6045.