On October 7, 2022, President Biden signed an executive order on "Enhancing Safeguards for United States Signals Intelligence Activities," outlining the measures that the United States will take to implement its commitments under the upcoming EU-U.S. Trans-Atlantic Data Privacy Framework.
The EU-U.S. Privacy Shield, which allowed the free flow of data across the Atlantic, was annulled in July 2020 by the European Court of Justice in the Schrems II decision, as the Court had held that the United States did not provide for an "essentially equivalent" level of protection as guaranteed in the European Union (please see our Commentary).
In March 2022, President Biden and European Commission President von der Leyen had announced an agreement in principle on a new Trans-Atlantic Data Privacy Framework to replace the EU-U.S. Privacy Shield.
The purpose of the executive order and the regulations issued by the attorney general is to implement into U.S. law the agreement in principle reached in March 2022.
In particular, the executive order:
- Introduces safeguards for U.S. intelligence activities, including the requirement that such activities only take place pursuant to determined national security objectives, take into account privacy and civil liberties concerns, and are necessary and proportionate to achieve an intelligence objective;
- Introduces mandatory requirements on handling personal data through intelligence services and extends the responsibilities of legal, oversight, and compliance officials to remedy noncompliance incidents;
- Requires the U.S. intelligence community to put in place the necessary adjustments in order to enforce the new data-sharing regime;
- Provides for a two-layer redress mechanism aimed to investigate and resolve complaints of Europeans about U.S. national security authorities accessing their personal data. EU citizens would first file a complaint before the U.S. Civil Liberties Protection Officer ("CLPO"), which would conduct an initial investigation to assess whether the executive order's safeguards or other U.S. laws were infringed, and apply the necessary remedies. As a second layer, the Data Protection Review Court (which is, despite its name, a body within the executive branch) would provide independent and binding review of the CLPO's decision; and
- Calls on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures.
The executive order will soon become effective following its publication in the U.S. Federal Register.
In a process that will likely take six months, the Commission is now expected to review the legal text, propose a draft adequacy decision, and launch its adoption procedure, which requires an opinion from the European Data Protection Board, the approval of a committee composed of representatives of EU Member States, and the scrutiny of the European Parliament.
In the meantime, companies may use the new EU Standard Contractual Clauses ("SCCs") issued by an implementing decision of the Commission in June 2021 (please see our Commentary) for trans-Atlantic data transfers. However, companies that are using the old version of the SCCs have only until December 27, 2022, to switch to the new SCCs to comply with the Commission's decision.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.