Biden Administration Issues Executive Order to Encourage EU-US Data Transfers
On October, 7 2022, President Biden issued an “Executive Order on Enhancing Safeguards for the United States Signals Intelligence Activities” (Executive Order) explaining the steps the United States will take to implement the US commitments under the EU-US Data Privacy Framework (Data Privacy Framework).
The Data Privacy Framework is a response to the July 2020 “Schrems II” decision by the Court of Justice of the European Union (CJEU), which invalidated the EU-US Privacy Shield Framework (Privacy Shield) as a lawful mechanism for the transfer of personal data from the EU to the United States under the EU’s General Data Protection Regulation (GDPR). Before Schrems II, companies could self-certify as Privacy Shield-compliant and cross-border transfers were considered adequate under Article 45 of the GDPR. With Privacy Shield invalidated, companies have relied on other transfer mechanisms, most commonly the Standard Contractual Clauses (SCCs), which impose an additional burden of conducting a transfer impact assessment (TIA) to assess on a case-by-case basis whether the personal data would be sufficiently protected in the receiving jurisdiction. The CJEU’s decision in Schrems II was driven largely by its understanding of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, which give the US government certain surveillance powers that may give access to personal data of EU data subjects.
The Data Privacy Framework is an attempt to address the CJEU’s criticisms and pave the way for less burdensome data flows. To ensure the Data Privacy Framework obligations for the US are met, the Executive Order:
- adds further safeguards for US signals intelligence activities, including requiring that those activities be limited to defined national security obligations and take into consideration the privacy and civil liberties of individuals;
- mandates handling requirements for personal data collected through such activities and extends the responsibilities of officials to ensure compliance and remediation of non-compliance;
- requires the US intelligence community to update policies and procedures to reflect the new privacy and civil liberties safeguards contained in the Executive Order;
- requires a Privacy and Civil Liberties Oversight Board to review intelligence community policies and procedures to ensure and enshrine the commitments of the Executive Order; and
- creates a multi-layer mechanism for individuals to obtain independent and binding review and redress with regard to claims relating to unlawful processing of their data through US signals intelligence.
As to this final point, also on October 7, Department of Justice issued a new rule establishing a Data Protection Review Court (DPRC) to allow for the second tier of review by individuals alleging violations of their privacy and civil liberties in the conduct of signal intelligence activities.
Some may consider the Executive Order a step towards the European Commission issuing a decision deeming the US an adequate jurisdiction, allowing free flows of personal data from the EU to the United States. On the other hand, there is also skepticism as to whether the Executive Order goes far enough in allaying the Schrems II concerns. In any event, the Data Privacy Framework and the Executive Order are a step in that direction, and may, in the meantime, assist companies carrying out TIAs, to assess whether the personal data would be sufficiently protected in the US as receiving jurisdiction.
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.