Introduction
On October 7, 2022, the president of the United States signed an executive order on enhancing safeguards for United States signals intelligence activities (the “Executive Order,” available here), which, together with the accompanying regulations issued by the U.S. attorney general, are aimed at implementing into U.S. law the agreement in principle reached by President of the European Commission Ursula von der Leyen and U.S. President Joe Biden on March 25, 2022, regarding a new EU-U.S. data privacy framework.
The Executive Order has binding and immediate effect in the United States and, in a nutshell, it introduces the following:
- Binding safeguards with regard to U.S. intelligence activities, which can be carried out only if authorized and to pursue established objectives, in compliance with principles such as necessity and proportionality between the intelligence priority and the impact on privacy and civil liberties of all persons.
- Processing requirements to be followed when dealing with personal data gathered while carrying out intelligence activities, which are aimed at minimizing access, dissemination, and retention of such data, and at ensuring a certain level of data security.
- The requirement for the intelligence community to update its policies as necessary to implement the privacy and civil liberties safeguards established in the Executive Order, which will be reviewed by the U.S. Privacy and Civil Liberties Oversight Board and released publicly.
- A signals intelligence redress mechanism to review complaints lodged by individuals claiming violation of applicable U.S. law with regard to the collection and processing of their personal data by signals intelligence activities. This is a two-layer redress mechanism: under the first layer, the complaint is investigated by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (“CLPO”), who issues a binding decision regarding the complaint. Under the second layer, the CLPO’s decision may be subject to review by the Data Protection Review Court (an ad hoc review body established by the Executive Order) following application by either the complainant or a member of the intelligence community.
Background
The Executive Order introduces binding safeguards to address the issues pointed out by the Court of Justice of the European Union (“CJEU”) in Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems (“Schrems II judgment,” available here)[1] which invalidated the framework for trans-Atlantic data flows, i.e., Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU–U.S. Privacy Shield (the “Privacy Shield”). As a side note, the previous framework for EU-U.S. data flows (Commission Decision 2000/520/EC, known as the Safe Harbor Decision) was invalidated by the CJEU via a judgment rendered on October 6, 2015 (Case C-362/14, the first installment in the long-running Schrems saga—available here).
In the Schrems II judgment, the CJEU reaffirmed the need to ensure that personal data subject to the application of Regulation (EU) 679/2016 (“GDPR”) are transferred to third countries under a level of protection “essentially equivalent” to the protection provided by European legislative framework. In invalidating the Privacy Shield, the CJEU found that the United States did not guarantee that type of essentially equivalent level of protection, mainly because (i) interference in the protection of personal data by government surveillance programs did not comply with the “proportionality” principle enshrined in article 52 (1) of the Charter of Fundamental Rights of the European Union (the “Charter”); and (ii) the Privacy Shield ombudsperson mechanism did not provide an effective remedy before a tribunal, as required by article 47 of the Charter, to persons whose personal data were transferred to the United States.
Since the Schrems II judgment, companies wishing to transfer personal data from the EU to the United States on a regular basis have been relying on other tools provided by the GDPR under articles 46 and 47. As a result of the Schrems II judgment, data controllers relying on the Standard Contractual Clauses of the European Commission pursuant to article 46(2)(c) of the GDPR had to carry out additional assessments, on a case-by-case basis, of whether the law of the destination country actually provides essentially equivalent protection for personal data and, if necessary, to provide safeguards in addition to those offered by said clauses. It is worth noting that the Executive Order will have positive impact on those types of assessment, as it is likely to lower the risks presented by data transfer.
Next Steps
The Q&A issued by the European Commission (“EC”) states that the Executive Order will serve as the basis for the EC to prepare a draft adequacy decision under article 45 of the GDPR and launch its adoption procedure, which is expected to be complete in or around spring 2023.
Adequacy decisions are tools used to regulate personal data transfers to third countries that the European Commission has identified as countries that can ensure an adequate level of data protection (the list of those countries is available here). To reach an adequacy decision, the EC will have to obtain an opinion from the European Data Protection Board and must earn the approval of a committee composed of representatives of EU Member States. In addition, the European Parliament has right of scrutiny over adequacy decisions.
Only after that has occurred can the EC adopt the final adequacy decision on the United States, allowing the free flow of personal data between the EU and U.S. companies certified by the Department of Commerce under the new framework.
In the meantime, the EC suggests that companies continue to use the other tools provided by the GDPR to regulate data transfers to third countries.
Concluding Remarks
The Executive Order is largely welcome as a sign of commitment on the part of the United States and as the result of intense negotiations between that country and the EU to reach a compromise between two very different ways of viewing the fundamental right to privacy and data protection. However, it is not a law provision. This has raised the question of whether an executive order, which by definition cannot modify a law, is enough to overcome the fundamental differences between EU and U.S. legal frameworks, as pointed out by a member of the Italian Data Protection Authority. Furthermore, some have already noted that the amendments to the U.S. legislative framework are not sufficient to ensure an adequate level of protection for personal data. For instance, in a recent press release the European Consumer Association (BEUC) warned about the absence of safeguards to address issues related to commercial use of personal data. Concerns have been raised also by the American Civil Liberties Union, which asked for deeper reform of U.S. laws allowing government surveillance, and by NOYB, the NGO founded by Maximilian Schrems, which argued that the Executive Order fails to address the shortcomings highlighted by the CJEU in the Schrems II judgment.
[1] Further analysis of the Schrems II judgment is available here and here.
