On Oct. 7, 2022, President Joe Biden signed an “Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities,” which lays out steps the U.S. will take to implement its commitments under the new framework. It was the U.S.’s signals intelligence activities and a lack of adequate safeguards in place to protect personal data involved in such activities, after all, that led to the European Court of Justice’s decision to strike down the prior Privacy Shield framework in 2020. Biden’s executive order also comes after the U.S. and the EU this past March reached an agreement in principle on the new framework.
In a nutshell, the executive order strengthens privacy and civil liberty safeguards in the execution of U.S. signals intelligence activities. As summarized by the accompanying factsheet, the executive order:
- Adds further safeguards for U.S. signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.
- Mandates handling requirements for personal information collected through signals intelligence activities and extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance.
- Requires U.S. Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the [executive order].
Perhaps more notably, the executive order also provides for a two-tiered redress mechanism, in which a (“CLPO”) and ultimately, a (“DPRC”)—an independent binding authority—can adjudicate “qualifying complaints transmitted by the appropriate public authority in a qualifying state concerning the United States signals intelligence activities.” In other words, individuals can send qualifying complaints to the CLPO through appropriate public authorities if they feel their data privacy rights have been violated by the conduct of U.S. signals intelligence activities. The CLPO can then investigate, review, and order remediation as appropriate. If necessary, such cases may escalate to the DPRC, which has the authority to review CLPO determinations. This redress mechanism addresses European Court of Justice concerns over a current lack of appropriate legal recourse for data subjects seeking judicial protection of their data rights in cross-border data flows from the EU to the U.S. It is also a crucial step toward the official implementation of a new framework.
Cross-border data flows are essential for many U.S. and EU companies across all industries and sectors as these companies seek to grow and participate in the global digital economy. Having a new framework for transatlantic data flows will help ensure greater protection of personal data. It will also bolster trust and stability between the U.S. and EU when it comes to transatlantic data flows.
While the executive order is a promising development for a new framework and matters of EU-U.S. data transfers and privacy, the process has just begun. As any new framework must be a collaborative effort, the EU must sign off on it. Accordingly, the ball is now in the EU’s court, as the next step is for the European Commission to assess the proposed framework as well as the U.S.’s commitments under it. The Commission must then adopt a new adequacy determination, allowing the new framework to become operative under EU law.
Contact Zasio to explore how our technology solutions and consulting services can help fulfill your data privacy and information governance needs.P
Author: Jared Walker, JD
Senior Research Analyst, Team Lead / Licensed Attorney