DPRC: A Questionable New Agreement on the Transfer of European Data to the USA

Established in October 2022, the Data Protection Review Court (DPRC) is an institution set up by the Biden administration to resolve disputes between the United States and European Union members concerning the handling of personal data. On November 14, 2023, the first judges of the DPRC were appointed. Although this new jurisdiction is supposed to ease existing tensions, its operations raise some concerns.

New Guarantees for Individuals

In July 2020, the Court of Justice of the EU issued the Schrems II ruling which invalidated the Privacy Shield (an agreement that previously allowed transatlantic data transfers) and deemed the United States as an inadequate country. Consequently, to transfer data from Europeans, guarantees were considered necessary (data anonymization, standard clauses...).

After years of negotiations, the Data Privacy Framework was implemented in the summer of 2023 between the EU and the United States. This agreement facilitates data transfers between these two regions.

How? By establishing sufficient guarantees for users (obligation to inform, transparency, right to object to the transfer, recourse body...)

The major new feature of this agreement? The possibility for any European who believes that their data has been illegally processed to bring a case before the Data Protection Review Court (DPRC).

A New Recourse Mechanism

Under the American Foreign Intelligence Surveillance Act (FISA), data from European citizens can legally be collected as part of US surveillance activities. Europeans, in practice, have no recourse to prevent possible excessive surveillance activities under European law. This is the entire purpose of this new Court.

Established by decree in October 2022, its main mission is to independently review decisions made by the "Civil Liberties Protection Officer of the Office of the Director of National Intelligence" (ODNI CLPO) – in response to qualifying complaints filed by individuals through public authorities.

*A bona fide complaint alleging specific violations concerning personal data within the framework of U.S. intelligence activities.

This recourse involves two steps:

The complaint from the plaintiff is first received by a European data protection authority, before being transmitted to the ODNI CLPO, which acts as a first instance. This body is responsible for conducting an investigation to determine whether there are violations and the appropriate corrective measures.
If no violation is found, the complainant can ask the DPRC to review the decisions of the ODNI CLPO.

💡 An EU citizen suspects that their electronic communications have been intercepted and analyzed by a US intelligence agency, as part of signal surveillance. This is in violation of the guarantees provided in the American executive order. This person could then file a complaint with the ODNI CLPO. If they are not satisfied with the response or proposed resolution, they could then appeal to the DPRC.

However, the operation of this Court still raises some doubts.

Increasingly Unclear Details

The establishment and operation of the DPRC have drawn significant criticism. Several somewhat unclear points need to be clarified.

Questionable Independence

The DPRC is a Court created by decree, supposed to analyze violations committed by intelligence agencies... also under the executive. There is necessarily a conflict of interest. How is the Court supposed to prevent such surveillance activities, if they have been deemed necessary by the American executive? What concrete means does this Court have?

A Procedure Subject to Eligibility

According to the information made available, this procedure is not addressed to everyone. Indeed, according to the decree establishing the DPRC, requests for reviews must be filed with public authorities of eligible States. The status of eligible state is granted by the Attorney General based on the following criteria:

The country or regional organization requires appropriate guarantees for the conduct of American intelligence activities. For example, the European Union demands appropriate safeguards for the conduct of intelligence activities. This requires a level of protection equivalent to that provided by the GDPR (with respect for principles such as proportionality, minimization, necessity...), as well as a recourse mechanism.
The country or regional organization allows the transfer of personal data with the United States for commercial purposes.
The designation of such a country or regional organization as eligible would be in the interest of the United States.

We can therefore deduce that this status of eligible country currently concerns only the countries of the European Union and all others with an agreement with the United States on data sharing (For example the United Kingdom, Gibraltar, Switzerland...). It is therefore a designation that remains at the sole discretion of the United States. It may thus have the effect of excluding other countries from America, Asia, or Africa that are nevertheless not spared from American surveillance activities.

A Location Kept Confidential

No information has been given about the location of this Court. There is therefore no possibility of physically attending it. The only public information is the identity of the eight judges who sit. How can we be sure of the independence of this Court if it does not have its own premises and does not allow access to physical persons?

A Lack of Transparency

To date, the U.S. Department of Justice has not disclosed whether it has already handled cases in this framework, nor when it will be able to do so. The decisions of the Court will be kept secret. The complainants, not allowed to appear in person, are represented by a special lawyer.

During the first instance request with the ODNI CLPO, the response will mention either that no violation has been found, or that a violation has been found and that the American government has taken the appropriate measures to remedy it. It will not specify which ones. This poses a problem of transparency, as it is on the basis of this refusal that the complaining party is supposed to appeal.

As a lawyer, it is very difficult to prevail by saying 'I appeal' without stating why I am challenging the decision.
Max Schrems, Austrian jurist

Insufficient Rights of Defense

According to the information communicated in the decree establishing the DPRC, each request will be examined by a panel of three judges of this Court. It is the presiding judge who will designate the special lawyer charged with defending the interests of the complainant.

However, the same decree states that it will not be a lawyer-client relationship. On the contrary, the special lawyer will even be subject to communication restrictions for national security reasons. Indeed, the American administration wants to ensure that no classified or privileged information is disclosed.

On paper, the Data Protection Review Court (DPRC) therefore offers a recourse mechanism for complaints concerning the surveillance of data of Europeans. Yet, even if this Court revives hope regarding the respect of Europeans' rights by the American Government, the criticisms and uncertainties surrounding its operation are not reassuring. Only the observation of the actual operation of this Court will answer the question of the balance between surveillance and respect for privacy.