President Biden signed an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” (“Executive Order”) on 7 October 2022. In conjunction with the regulations issued by the US Attorney General to establish a Data Protection Review Court (“DPRC”), the Executive Order implements into US law the agreement in principle revealed by President Biden and President von der Leyen in March of 2022 on a new EU-US Data Privacy Framework.
The Executive Order introduces new binding safeguards to address all the points raised by the Court of Justice of the EU (“CJEU”), limiting access to EU data by US intelligence services and creating the new DPRC. The European Commission is consequently now in a position to prepare a draft adequacy decision, as well as introduce its adoption process.
Impact on transatlantic transfers of EU personal data
For Europeans whose personal data is transferred to the US, the new Executive Order and the accompanying regulations provide the legal framework for:
- Binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security; and
- The establishment of an independent and impartial remedy mechanism, which includes the new DPRC to investigate and resolve complaints regarding access to their data by US national security authorities.
Th Executive Order also requires US intelligence agencies to review their policies and procedures to implement these new safeguards. These are significant improvements compared to the Privacy Shield which the CJEU declared as an invalid transfer mechanism under EU law following the so-called Schrems II decision of July 2020.
Role of the new DPRC
In order to be in keeping with EU data privacy standards and to add further safeguards, the new DPRC will independently review determinations made by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (“ODNI CLPO”) in response to qualifying complaints sent by individuals through appropriate public authorities that allege certain violations of US law in the conduct of US signals intelligence activities.
Amongst other enhancements, these new safeguards will include:
- Requiring that such signals intelligence activities be conducted only in pursuit of well-defined national security objectives;
- Taking into consideration the privacy and civil liberties of all individuals, regardless of nationality or country of residence; and be conducted only when necessary to advance e a validated intelligence priority and only to the extent and in a manner proportionate to that priority;
- Requiring US Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the Executive Order;
- Creating a multi-layer mechanism for individuals from qualifying states and regional economic integration organisations, as designated pursuant to the Executive Order, to obtain independent and binding review and redress of claims that their personal information collected through US signals intelligence was collected or handled by the US in violation of applicable US law, including the enhanced safeguards in the Executive Order; and
- Calling on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order and to carry out an annual review.
The above safeguards will enable the European Commission to imminently adopt a new adequacy determination, which will reintroduce a simple and effective transatlantic data transfer mechanism under UE law. It will also afford a greater level of legal certainty for organisations using Standard Contractual Clauses[1] (the “SCCs”) and Binding Corporate Rules[2] (“BCR”) to transfer EU personal data to the US.
Approval of new US Data Privacy Framework at UK and EU level
Despite the Executive Order having immediate effect, the UK and the EU are expected to take some time to approve the new US Data Privacy Framework under their respective legal systems. Until such time as the new framework is implemented at UK and EU level and these jurisdictions are in turn deemed as qualifying under the redress mechanism in the US, data exporters will need to continue carrying out transfer risk assessments in addition to using SCCs and BCR. This will include factoring in the Executive Order itself in the analysis and taking into consideration whether additional technical, contractual, or organisational measures are required.
This is a developing piece of legislation with a multitude of ramifications for transatlantic transfers of personal data. We will be monitoring it closely and updating our blog accordingly.
Related articles
See more on the Schrems II decision here.
Find the Executive Order here, the Executive Order Q&As here and the EU Justice announcement here.
Please contact Jose Saras and Xavier Prida if you have any questions about international data transfers.
The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.
[1] According to the EU General Data Protection Regulation (GDPR), contractual clauses ensuring data protection safeguards can be used as a ground for data transfers from the EU to so-called third countries. This includes model contract clauses that have been “pre-approved” by the European Commission.
[2] Binding Corporate Rules are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for international data transfers.