HLS.Today – President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) directing the steps that the United States will take to implement the U.S. commitments under the European Union-U.S. Data Privacy Framework (EU-U.S. DPF) announced by President Biden and European Commission President von der Leyen in March of 2022.
Transatlantic data flows are critical to enabling the $7.1 trillion EU-U.S. economic relationship. The EU-U.S. DPF will restore an important legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union raised in striking down the prior EU-U.S. Privacy Shield framework as a valid data transfer mechanism under EU law.
The Executive Order bolsters an already rigorous array of privacy and civil liberties safeguards for U.S. signals intelligence activities. It also creates an independent and binding mechanism enabling individuals in qualifying states and regional economic integration organizations, as designated under the E.O., to seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law.
U.S. and EU companies large and small across all sectors of the economy rely upon cross-border data flows to participate in the digital economy and expand economic opportunities. The EU-U.S. DPF represents the culmination of a joint effort by the United States and the European Commission to restore trust and stability to transatlantic data flows and reflects the strength of the enduring EU-U.S. relationship based on our shared values.
In particular, the Executive Order:
Adds further safeguards for U.S. signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.
Mandates handling requirements for personal information collected through signals intelligence activities and extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance.
Requires U.S. Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the E.O.
Creates a multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated pursuant to the E.O., to obtain independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O.
Under the first layer, the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) will conduct an initial investigation of qualifying complaints received to determine whether the E.O.’s enhanced safeguards or other applicable U.S. law were violated and, if so, to determine the appropriate remediation. The E.O. builds up the existing statutory CLPO functions by establishing that the CLPO’s decision will be binding on the Intelligence Community, subject to the second layer of review, and provides protections to ensure the independence of the CLPO’s investigations and determinations.
As a second layer of review, the E.O. authorizes and directs the Attorney General to establish a Data Protection Review Court (“DPRC”) to provide independent and binding review of the CLPO’s decisions, upon an application from the individual or an element of the Intelligence Community. Judges on the DPRC will be appointed from outside the U.S. Government, have relevant experience in the fields of data privacy and national security, review cases independently, and enjoy protections against removal. Decisions of the DPRC regarding whether there was a violation of applicable U.S. law and, if so, what remediation is to be implemented will be binding. To further enhance the DPRC’s review, the E.O. provides for the DPRC to select a special advocate in each case who will advocate regarding the complainant’s interest in the matter and ensure that the DPRC is well-informed of the issues and the law with regard to the matter. The Attorney General today issued accompanying regulations on the establishment of the DPRC.
Calls on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order and to conduct an annual review of the redress process, including to review whether the Intelligence Community has fully complied with determinations made by the CLPO and the DPRC.
These steps will provide the European Commission with a basis to adopt a new adequacy determination, which will restore an important, accessible, and affordable data transfer mechanism under EU law. It will also provide greater legal certainty for companies using Standard Contractual Clauses and Binding Corporate Rules to transfer EU personal data to the United States.
HLS.Today Source: White House EU-US Privacy Shield
FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework
The United States and the European Commission have committed to a new Trans-Atlantic Data Privacy Framework, which will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union when it struck down in 2020 the Commission’s adequacy decision underlying the EU-U.S. Privacy Shield framework.
This Framework will reestablish an important legal mechanism for transfers of EU personal data to the United States. The United States has committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities. This deal in principle reflects the strength of the enduring U.S.-EU relationship, as we continue to deepen our partnership based on our shared democratic values.
This Framework will provide vital benefits to citizens on both sides of the Atlantic. For EU individuals, the deal includes new, high-standard commitments regarding the protection of personal data. For citizens and companies on both sides of the Atlantic, the deal will enable the continued flow of data that underpins more than $1 trillion in cross-border commerce every year, and will enable businesses of all sizes to compete in each other’s markets. It is the culmination of more than a year of detailed negotiations between the EU and the U.S. following the 2020 decision by the Court of Justice of the European Union ruling that the prior EU-U.S. framework , known as Privacy Shield, did not satisfy EU legal requirements.
The new Trans-Atlantic Data Privacy Framework underscores our shared commitment to privacy, data protection, the rule of law, and our collective security as well as our mutual recognition of the importance of trans-Atlantic data flows to our respective citizens, economies, and societies. Data flows are critical to the trans-Atlantic economic relationship and for all companies large and small across all sectors of the economy. In fact, more data flows between the United States and Europe than anywhere else in the world, enabling the $7.1 trillion U.S.-EU economic relationship.
By ensuring a durable and reliable legal basis for data flows, the new Trans-Atlantic Data Privacy Framework will underpin an inclusive and competitive digital economy and lay the foundation for further economic cooperation. It addresses the Court of Justice of the European Union’s Schrems II decision concerning U.S, law governing signals intelligence activities. Under the Trans-Atlantic Data Privacy Framework, the United States has made unprecedented commitments to:
Strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities;
Establish a new redress mechanism with independent and binding authority; and
Enhance its existing rigorous and layered oversight of signals intelligence activities.
For example, the new Framework ensures that:
Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
Participating companies and organizations that take advantage of the Framework to legally protect data flows will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce. EU individuals will continue to have access to multiple avenues of recourse to resolve complaints about participating organizations, including through alternative dispute resolution and binding arbitration.
These new policies will be implemented by the U.S. intelligence community in a way to effectively protect its citizens, and those of its allies and partners, consistent with the high-standard protections offered under this Framework.
The teams of the U.S. government and the European Commission will now continue their cooperation with a view to translate this arrangement into legal documents that will need to be adopted on both sides to put in place this new Trans-Atlantic Data Privacy Framework. For that purpose, these U.S. commitments will be included in an Executive Order that will form the basis of the Commission’s assessment in its future adequacy decision.