Today, after over two years of detailed negotiations, President Joe Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the “Order”) outlining steps the U.S. will take to implement its commitments under the European Union-U.S. Data Privacy Framework, originally announced by President Biden and European Commission President Ursula von der Leyen in March of 2022 (as previously discussed here).
The Order follows the Court of Justice European Union’s (CJEU) 2020 judgment in Schrems II (previously discussed here), which invalidated the EU-US Privacy Shield as a valid data transfer framework under the European General Data Protection Regulation, requiring thousands of companies to resort to standard contractual clauses or binding corporate rules as virtually their only means to freely transfer data across the Atlantic. It is hoped that the steps proposed by the Order will alleviate the concerns raised by the CJEU regarding transfers of personal data to the U.S., and will lead to a new data transfer mechanism that can be used to legitimise transfers of personal data from the EU to the U.S.
Safeguards proposed by the Order
As noted above, the Order is proposed in response to the CJEU’s Schrems II decision which raised concerns related to U.S. government access and surveillance laws. Specifically, the CJEU found that the European Commissions’ adequacy decision for the EU-US Privacy Shield was insufficient on the basis that (i) U.S. surveillance programs permitted unjustifiably broad government oversight without regard for requirements to limit such surveillance to what is “strictly necessary and proportionate” as required by EU law and (ii) EU data subjects lacked actionable judicial redress, leaving them without a remedy in the U.S. in the event of a violation of their privacy rights. The CJEU also raised concerns with the fact that the requirements of U.S. national security, public interest and law enforcement have primacy and, therefore, interfere with the fundamental rights of persons whose data are transferred to the U.S. On these bases, the CJEU invalidated the prior EU-U.S. Privacy Shield framework as a valid data transfer mechanism under EU law.
At a high level, the Order seeks to address the CJEU’s concerns by proposing a number of new safeguards for how U.S. intelligence officials conduct signals intelligence activities involving personal data transferred from the EU to the U.S., including:
- mandating a number of safeguards and requirements for personal data collected through U.S. signals intelligence activities, including (i) requirements that surveillance activities be conducted only in pursuit of defined national security objectives, (ii) prioritization of “targeted collection” as opposed to “bulk collection,” which will only be authorized based on a determination that the information necessary to advance a validated intelligence priority cannot reasonably be obtained by targeted collection, and (iii) the imposition of heightened responsibility for legal, oversight and compliance officials to ensure appropriate actions are taken to remediate instances of noncompliance;
- requiring relevant U.S. authorities to update their policies and procedures to reflect the new safeguards proposed by the Order;
- creating a multi-layer mechanism for independent and binding review and redress of claims related to information collected through U.S. signals intelligence (including the establishment by the Attorney General of a Data Protection Review Court allowing EU individuals to file lawsuits with the assistance of a “special advocate” to challenge how their data is used by US intelligence agencies and to receive redress related to their privacy concerns – see here the U.S. Department of Justice announcement regarding the establishment of that court);
- conducting an annual review of the redress process; and
- reviewing existing intelligence community policies and procedures to ensure they are consistent with the Order.
The publication of the Order will not automatically make data exports from EU to the U.S. permissible under the framework; instead, the Order will serve as a basis for the European Commission to adopt a new adequacy determination, required for the new framework to take effect. Following President Biden’s signature, the decree will be sent to Brussels where the European Commission will implement the text into its own legislation before considering whether to adopt an adequacy determination in respect of the revised data transfer framework. The process to adopt the final adequacy determination is expected to take a few months, with the final text likely to be published around March/April 2023.
Some are hesitant to breathe a sigh of relief, as it is likely that any such decision by the European Commission will eventually be subject to legal challenge before the EU courts, and ultimately the CJEU. Nevertheless, officials remain confident that the Order and its implementation will adequately address the Commission’s concerns as a reliable framework to re-establish the free flow of data between the U.S. and EU.