On Friday, October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. Work on implementing a new transatlantic data transfer adequacy agreement continues; and, this latest Executive Order outlines the steps that the U.S. Intelligence Community will take in order to implement the U.S. commitments under a new European Union-U.S. Data Privacy Framework (“EU-U.S. DPF”).
While we wrote about The White House’s press release last week, today’s blog post delves a bit further into what the Executive Order entails, what the Data Protection Review Court (“DPRC”) would look like, and what all this could mean for businesses going forward.
Background and Timeline
The EU-U.S. Privacy Shield and the Schrems II Decision
On July 16, 2020, the Court of Justice of the European Union (“CJEU”) rendered the European Commission’s (“EC”) Decision (EU) 2016/1250 on the adequacy of the EU-U.S. Privacy Shield invalid. Chief among its reasons were the limitations on the protection of personal data arising from U.S. domestic law on access and use of such personal data by U.S. intelligence authorities.
The CJEU’s decision in Data Protection Commissioner v. Facebook Ireland and Maximilian Schrems, Case 311/18 (“Schrems II”), created significant uncertainty surrounding the transfer of personal data between the U.S. and the EU. At the time, as many as 5,300 U.S. companies were relying on the EU-U.S. Privacy Shield to conduct transatlantic data transfers in accordance with EU data protection laws.
In the wake of the CJEU’s decision, statements issued by both U.S. and EU officials stressed the importance of finding a mutual solution.
Cross-border Data Transfers and the Standard Contractual Clauses
Although it invalidated the EU-U.S. Privacy Shield, the CJEU upheld the continued use of the Standard Contractual Clauses (“SCCs”). Even so, the CJEU highlighted the heightened tension surrounding the transfer of data from the EU to the U.S. and urged companies to consider whether such data transfers would require “supplemental measures.”
On June 4, 2021, the EC announced its long-anticipated updates to the SCCs (“New SCCs”). For more information about the impact of these New SCCs, please see our past blog post on the topic. (As a reminder, businesses are required to transition all existing contractual agreements to the New SCCs by December 27, 2022. If you have any questions regarding this transition, please reach out to a member of our experienced team.)
Towards a New EU-U.S. Data Privacy Framework
On March 25, 2022, President Biden and EC President von der Leyen announced a joint commitment to a new Trans-Atlantic Data Privacy Framework. The announcement emphasized the re-establishment of “an important legal mechanism for transfers of EU personal data to the United States.” Though merely a political agreement, the announcement from The White House summarized a number of commitments that the U.S. is willing to make with respect to strengthening the privacy and civil liberties safeguards governing U.S. signals intelligence activities.
The European Data Protection Board (“EDPB”) followed suit with its own statement on April 6, 2022, supporting the political agreement in principle and confirming its role in examining any legal proposals and supporting documents in furtherance of this new framework.
President Biden Signs Executive Order to Implement the EU-U.S. DPF
General Overview
President Biden’s October 7th Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities arrives several months after the events above. The Executive Order focuses particularly on:
- requiring signals intelligence activities to be conducted only following a determination, based on a reasonable assessment of all relevant factors, that the activities are necessary to advance a validated intelligence priority;
- requiring the Intelligence Community to establish and apply policies and procedures to minimize the dissemination and retention of personal information collected through signals intelligence;
- requiring the Director of National Intelligence to work with the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (“CLPO”) on an assessment of validated intelligence priorities;
- establishing a redress mechanism to review qualifying complaints; and
- establishing a Data Protection Review Court (“DPRC”) that will impartially review the determinations made by the CLPO with respect to whether a covered violation occurred and the appropriate remediation in the event that there was such a violation.
What follows is a more detailed look into these measures.
Validated Intelligence Priorities and Legitimate Objectives
The Executive Order directs that “[s]ignals intelligence activities shall be conducted only following a determination, based on a reasonable assessment of all relevant factors, that the activities are necessary to advance a validated intelligence priority, although signals intelligence does not have to be the sole means available or used for advanced aspects of the validated intelligence priority.”
The provided list of legitimate signals intelligence priorities and objectives centers largely around U.S. national security purposes. The Executive Order, then, expressly lists out several prohibited objectives, namely:
- the suppression of criticism, dissent, or the free expression of ideas or political opinions by individuals or the press;
- the suppression or restriction of legitimate privacy interests;
- the suppression or restriction of the right to legal counsel;
- the disadvantaging of persons based on their ethnicity, race, gender, gender identity, sexual orientation, or religion; or
- the obtainment of competitive, commercial advantages to U.S. companies and business sectors.
Notably, the Executive Order does not elaborate on what constitutes “legitimate privacy interests” beyond stating that “all persons have legitimate privacy interests in the handling of their personal information.”
The Director of National Intelligence is directed to establish priorities for the U.S. Intelligence Community by obtaining from the CLPO an assessment regarding anticipated signals intelligence collection activities.
Minimization of Dissemination and Retention of Personal Information
Additionally, the Executive Order directs each agency/office of the U.S. Intelligence Community to handle personal information collected through signals intelligence such that the dissemination and retention of that personal information is minimized.
It also requires the U.S. Intelligence Community to establish data security procedures that prevent access by unauthorized persons, limit access to authorized personnel with the appropriate training, take into account the bulk collection of unminimized signals intelligence, and document the nature and type of collection at issue and the context in which it is collected.
Within 1 year of the date of this Executive Order, the heads of each agency/office of the U.S. Intelligence Community are required to update policies and procedures in consultation with the Attorney General, the CLPO, and the Privacy and Civil Liberties Oversight Board (“PCLOB”) and to publicly release these policies and procedures to the maximum extent possible.
Oversight within the U.S. Intelligence Community should be led by senior-level legal and compliance officials, and all employees with access to signals intelligence should receive the appropriate training.
Redress Mechanism and the Establishment of the DPRC
The redress mechanism contemplated by this Executive Order is two-fold.
First, the Director of National Intelligence will establish a process that authorizes the CLPO to investigate, review, and order remediation for (if necessary) qualifying complaints. The heads of each agency/office of the U.S. Intelligence Community have 60 days (from the date of this Executive Order) to establish a submission process for qualifying complaints. The CLPO’s determinations will have a binding effect on the U.S. Intelligence Community.
A ”qualifying complaint” is defined by the Executive Order as a “complaint, submitted in writing, that:
- alleges a covered violation has occurred that pertains to personal information of or about the complainant, a natural person, reasonably believed to have been transferred to the United States from a qualifying state after the effective date of the Attorney General’s designation for such state;
- includes the following basic information to enable a review: information that forms the basis for alleging that a covered violation has occurred, which need not demonstrate that the complainant’s data has in fact been subject to the United States signals intelligence activities; the nature of the relief sought; the specific means by which personal information of or about the complainant was believed to have been transmitted to the United States; the identities of the United States Government entities believed to be involved in the alleged violation (if known); and any other measures the complainant pursued to obtain the relief requested and the response received through those other measures;
- is not frivolous, vexatious, or made in bad faith;
- is brought on behalf of the complainant, acting on that person’s own behalf, and not as a representative of a governmental, nongovernmental, or intergovernmental organization; and
- is transmitted by the appropriate public authority in a qualifying state, after it has verified the identity of the complainant and that the complaint satisfies the conditions of [this order].”
Second, the Attorney General is required to promulgate regulations for the establishment of the DPRC. On the same day as the Executive Order, Attorney General Merrick Garland signed a new regulation establishing the DPRC.
“The DPRC will review determinations made by the CLPO in response to qualifying complaints that allege certain violations of United States law in the conduct of United States signals intelligence activities. Applications for review by the DPRC must be filed by individuals through the appropriate public authority in a designated foreign country or regional economic integration organization.”
The DPRC will sit within the Department of Justice (“DOJ”) and will consist of six or more judges appointed by the Attorney General from outside the U.S. government for four-year renewable terms. The DPRC judges will not be subject to the day-to-day supervision of the Attorney General and may not be removed or subjected to other adverse action arising from their service on the DPRC except for the stated causes.
Applications by individual complainants are to be reviewed by three-judge panels of the DPRC, with the presiding judge of such a panel selecting a “Special Advocate” to advocate for the complainant’s interest.
Responses to the Executive Order
On October 7, 2022, Gina M. Raimondo (the U.S. Secretary of Commerce) and The Rt Hon Michelle Donelan MP (the UK Secretary of State for Digital, Culture, Media, and Sport) issued a joint statement on the commitment to develop a landmark bilateral Technology Partnership and the progress made towards UK-U.S. data adequacy. The joint statement indicates that the U.S. intends to designate the UK as a qualifying state for submitting complaints under the Executive Order.
Maximilian Schrems’ advocacy organization, none of your business (“NOYB”), also issued a statement in response to the Executive Order. Having expressed skepticism that the Executive Order will solve the problem, NOYB stated that there is no indication that U.S. mass surveillance will change in practice and that the DPRC will not be a “real” court with true judicial redress.
Finally, the EC announced that it will now prepare a draft adequacy decision and obtain an opinion from the EDPB. In its statement, the EC was hopeful that the new safeguards and redress mechanism would provide a durable and reliable legal basis for transatlantic data flows.
Key Takeaways for Businesses
We are likely still some time away from the implementation of a new EU-U.S. DPF. In the wake of this Executive Order, the EC has commenced drafting an adequacy decision. The process of drafting an adequacy decision, seeking an opinion from the EDPB, and adopting an adequacy decision could take several months. On the U.S. side, the Attorney General will need to set up the DPRC and designate the EU as a qualifying regional economic integration organization.
In its statement from October 7, 2022, the EC remained hopeful that the CJEU will not strike down this new EU-U.S. DPF because of the additional safeguards and redress mechanism provided for by this Executive Order. However, the CJEU and other relevant data protection authorities may still challenge the framework whenever it is finalized.
The EC reminded businesses “that an adequacy decision is not the only tool for international transfers.” In the meantime, the new SCCs remain a current, viable option. It is important to note that businesses must transition existing contractual agreements to the new SCCs by December 27, 2022.
Octillo will continue to monitor and provide further guidance as new developments come up. If you have any questions regarding this development, please contact a member of our team.
*Attorney advertising. Prior results do not guarantee a similar outcome