On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities,1 which is intended to implement U.S. commitments under the Trans-Atlantic Data Privacy Framework (DPF) announced in March 2022. With the new executive order, the Biden administration aims to strengthen the legal foundation for trans-Atlantic data flows following the 2020 Schrems II decision in which the Court of Justice of the European Union (CJEU) struck down the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield framework self-certification scheme. The executive order creates additional privacy and civil liberties safeguards for U.S. signals intelligence collection activities, as well as a new “Signals Intelligence Redress Mechanism,” which includes a new “Data Protection Review Court.” The European Commission is next expected to prepare a draft adequacy decision to adopt the DPF as a valid transfer mechanism for transfers of personal data from the European Union to the United States.
This Legal Update summarizes the key developments under the executive order, what will come next from the EU, and alternative bases for EU-U.S. data transfers while the EU evaluates the DPF as implemented through the executive order.
Key Developments Under the Executive Order
Key provisions of the executive order:
- Implement additional safeguards and limiting principles to U.S. signals intelligence collection activities. In addition to existing restrictions imposed by statute or executive action, the executive order creates new restrictions for U.S. signals intelligence collection activities. For example:
- Signals intelligence collection activities must be conducted in pursuit of “legitimate objectives” outlined in the executive order, including, for example, “protecting against threats to the personnel of the United States or of its allies or partners.” (The executive order also identifies “prohibited objectives” for signals intelligence collection activities, such as “suppressing or restricting a right to legal counsel.”)
- Under the executive order, any signals intelligence collection activity must follow a determination, based on a “reasonable assessment of all relevant factors,” that the specific activity “is necessary to advance a validated intelligence priority.” Signals intelligence collection activities “shall be conducted only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized.”
- In addition, the Director of National Intelligence must obtain an assessment of the National Intelligence Priorities Framework by the U.S. Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence (ODNI) “[i]n order to ensure that signals intelligence collection activities are undertaken to advance legitimate objectives.” The Director must present the signals intelligence collection priorities to the President, through the Assistant to the President for National Security Affairs, on a “regular basis.”
- The executive order also repeatedly states that signals intelligence activities must take into account the privacy and civil liberties of all persons, “regardless of their nationality or wherever they might reside.”
- Restrict bulk collection of personal data. The executive order, under Section 2(c)(ii), limits bulk collection of signals intelligence to those activities authorized “based on a determination” by the relevant elements of the IC “that the information necessary to advance a validated intelligence priority cannot reasonably be obtained by targeted collection.” When authorized, the IC must “apply reasonable methods and technical measures to limit the data collected to only what is necessary to advance a validated intelligence priority while minimizing the collection of non-pertinent information.” Any signals intelligence collected through bulk collection must be in pursuit of a more limited subset of “objectives” set out in the executive order.
- Establish and apply policies and procedures designed to minimize dissemination and retention of personal information collected through signals intelligence. The executive order, under Section 2(c)(iii), requires each element of the IC that handles personal information collected through signals intelligence to only disseminate that personal information within the U.S. government if an “authorized and appropriately trained individual has a reasonable belief that the personal information will be appropriately protected and that the recipient has a need to know the information.” The executive order also limits retention of non-U.S. persons’ personal information to the same standards and retention periods for comparable information concerning U.S. persons.
- Require the U.S. intelligence community to update their policies and procedures. The executive order, under Section 2(c)(iv), mandates that each element of the IC update their internal processes to align with the privacy and civil liberties safeguards outlined in the executive order, including by completing the following:
- Within one year of the executive order, consult with the Attorney General, CLPO, and the Privacy and Civil Liberties Oversight Board (PCLOB) to ensure its policies and procedures are consistent with the enhanced privacy and civil liberties safeguards;
- Within one year of the executive order, release these policies and procedures, to the maximum extent possible, to enhance the public’s understanding of its practices;
- Designate senior-level legal, oversight, and compliance officials who conduct periodic oversight of signals intelligence activities and grant those officials access to all pertinent information;
- Maintain appropriate training for all employees with access to signals intelligence to understand the requirements of the executive order and the policies and procedures for reporting and remediating non-compliance.
- Create the “Signals Intelligence Redress Mechanism.” The executive order, under Section 3, will establish a redress mechanism to review complaints transmitted by the appropriate public authority in a qualifying state and evaluate whether any covered U.S. laws were violated.
- First, qualifying states will be able to submit complaints to the CLPO. (The executive order sets out that the process for this submission will be established within 60 days of the executive order.) The CLPO will be responsible for the initial investigation of complaints and determining the appropriate remediation.
- Second, a complainant or an element of the IC may apply for the Data Protection Review Court (DPRC) to review the CLPO’s decision. The executive order authorizes and directs the Attorney General to issue regulations (which were issued on the same day as the executive order) to establish the DPRC. In consultation with the Secretary of Commerce, the Director of National Intelligence, and the PCLOB, the Attorney General will appoint judges to serve on the DPRC who have appropriate data privacy and national security law experience, giving weight to prior judicial experience, and who are not, at the time of their initial appointment, employees of the U.S. government. Upon each application for review, a three-judge panel of the DPRC will convene and select a “special advocate” with requisite security clearance to represent the complainant. Ultimately, the DPRC will be able to perform a review of the CLPO’s decisions and its determination will be binding on the IC. The PCLOB will also have the right to annually review this redress process.
Next Steps from the EU
When personal data is transferred to countries outside of the European Economic Area (EEA), the transfer must be carried out in accordance with Chapter V of the GDPR. Chapter V sets out several tools that businesses can rely on when transferring data to third countries. One tool is an adequacy decision authorized by the European Commission, that certifies that specific countries provide an adequate level of data protection and legal remedies for data subjects under their local laws. Transfers to countries that have not received an adequacy decision, including the United States, must provide “appropriate safeguards” for the protection of personal data through a valid data transfer mechanism, such as the Standard Contractual Clauses (SCCs), which is currently the most common method for carrying out transfers of personal data from the EEA to the United States.
The new EU-U.S. framework for international transfers of personal data as implemented through the executive order is intended to act as an “appropriate safeguard” pursuant to the GDPR. This will mean that, if approved by the relevant EU regulatory bodies, businesses will be able to transfer personal data to the United States without the use of the SCCs if the recipient is certified under the new DPF.
The European Commission will now review the DPF and initiate its draft adequacy decision and adoption procedure. As part of this process, the European Data Protection Board (“EDPB”) will submit the draft adequacy decision for review to a committee composed of representatives of the EU member states. Additionally, the European Parliament may exercise its right of scrutiny over adequacy decisions. Following the review, the European Commission can adopt a final adequacy decision for the United States with respect to businesses that rely on the DPF to transfer personal data. If the United States is approved as a country with data adequacy, data transfers from the EU to the U.S. by businesses that are certified to the DPF will no longer require separate data transfer mechanisms to provide additional safeguards. The European Commission announced that “U.S. companies will be able to join the framework by committing to comply with a detailed set of privacy obligations."
Alternative Data Transfer Mechanisms
As the European Commission prepares its review of a data adequacy decision, businesses may still rely on other valid data transfer mechanisms for personal data transfers from the EU to the United States, including the SCC and Binding Corporate Rules. SCCs, which are the most common mechanism for EU-U.S. data transfers, may be incorporated into businesses’ commercial contracts. As of September 27, 2021, all new contracts must use the new SCCs released by the European Commission in June 2021 (the 2021 SCCs). As of December 27, 2022, all new and existing contracts must use the 2021 SCCs. The European Commission has released practical guidance for businesses when relying on the 2021 SCCs for data transfers.
1 Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (Oct. 7, 2022), https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/.