On 7 October 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.). The E.O. directs the steps that the United States will take to implement the EU-U.S. Trans-Atlantic Data Privacy Framework (Framework), which was announced in March 2022 by President Biden and European Commission President von der Leyen.
“Transatlantic data flows are critical to enabling the $7.1 trillion EU-U.S. economic relationship” (White House Briefing Statement, October 07, 2022). Please click here to read the Briefing Statement.
In its Schrems II decision, the Court of Justice of the European Union declared the Privacy Shield to be an invalid mechanism for EU-U.S. data transfers. The E.O.’s objective is to provide the European Commission with a basis to adopt a new adequacy determination through 5 key steps concerning US intelligence activities:
- Further safeguards: the E.O. requires that signal intelligence activities be conducted only in pursuit of defined national security objectives; taking into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority
- Handling requirements for personal information: the E.O. mandates handling requirements for personal information collected through signals intelligence activities and extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance
- Updated policies and procedures: the E.O. requires U.S. Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the E.O.
- Redress of claims: the E.O. creates a multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated pursuant to the E.O., to obtain independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O.
- Review: the E.O. calls on the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (CLPO) to review Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order and to conduct an annual review of the redress process, including to review whether the Intelligence Community has fully complied with determinations made by the CLPO and the Data Protection Review Court.
“The EU-U.S. Data Privacy Framework will restore an important legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union raised in striking down the prior EU-U.S. Privacy Shield framework as a valid data transfer mechanism under EU law”
(White House Briefing Statement, October 07, 2022).
What is next: a Schrems III decision?
A month later, with no new news on this front, the question still looms as to what will happen.
The European Commission will now move to the next steps, which include proposing a draft adequacy decision and launching its adoption procedure. It may take approximately six months, so be on the lookout for more news in March 2023.
As you monitor for developments, keep an eye on how your privacy and security teams maintain your company’s data mapping. Also, take steps to carry out the company’s Transfer Impact Assessments (TIAs) so that you are prepared and have up-to-date information on your company’s international data transfers once regulators announce new rules.
Is the E.O. a step forward towards legal certainty? Only a first step, as the Framework does not constitute a legal basis for cross-border data from the European Economic Area to the US. It is definitely an area to keep monitoring: Max Schrems’ reaction to the Framework was that noyb[i] or another group would likely challenge the Framework if it were not in line with EU law.
Please click here to get in touch and find out how Elevate can support your business comply with data privacy obligations in relation to international data transfers., e.g., Standard Contractual Clauses (SCCs), UK SCCs and Transfer Impact Assessments (TIA).
[i] none of your business is a non-profit organisation, co-founded by Austrian lawyer and privacy activist Max Schrems.