The Executive Order is designed to address concerns about governmental access and surveillance that led the Court of Justice of the European Union (“CJEU”) to strike down the previous data transfer framework, the EU-U.S. Privacy Shield Framework, in its July 2020 “Schrems II” decision. Specifically, the CJEU held that U.S. foreign intelligence activities undermined the commercial protections of the Privacy Shield Framework by allowing the U.S. government to access European data without appropriate “proportionality” restrictions or oversight mechanisms, such as review by independent bodies and redress for affected individuals. Since 2020, companies have struggled to find a clear legal basis for transfers of personal data to the U.S. Most companies rely on European Commission-approved model contracts (standard contractual clauses, or “SCCs”) combined with “transfer impact assessments” (“TIAs”) to validate such transfers; however, escalating enforcement actions and litigation, including concerning companies’ use of Google Analytics, have raised questions about the long-term viability of this approach.
The Executive Order reinforces privacy and civil liberties safeguards as they relate to U.S. surveillance activities, and particularly those relating to signals intelligence (i.e., the collection and analysis of electronic signals and communications). Moreover, it creates a binding, independent mechanism within the executive branch, a Data Protection Review Court, enabling individuals in “qualifying states,” including EU member states, to seek redress if they believe their personal data was collected via U.S. signals intelligence using means that violate U.S. law.
In an attempt to “restore trust and stability” to transatlantic data flows, the Executive Order:
Incorporates new safeguards to address “proportionality” concerns. For example, the Executive Order requires signals intelligence activities to be “conducted only following a determination, based on a reasonable assessment of all relevant factors, that the activities are necessary to advance a validated intelligence priority” and “only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized.” The Executive Order specifies that the protections for individuals’ privacy and civil liberties apply “regardless of their nationality or wherever they might reside.” While the Executive Order does not prohibit “bulk collection” — an issue that has vexed European courts — it states that “targeted collection shall be prioritized” and requires an interagency panel to approve bulk collection practices, and only permits such practices where the intelligence priority cannot be advanced by other means.
Creates new oversight bodies and redress mechanisms. The Executive Order establishes a multi-layer mechanism for individuals to pursue redress for unlawful foreign intelligence activities, which includes, first, review by the Civil Liberties Protection Officer in the Office of the Director of National Intelligence, and, second, application for additional review by a Data Protection Review Court. The Data Protection Review Court will be set up within the executive branch in the U.S. Department of Justice under the auspices of the attorney general, and is thus not subject to the rigorous standing requirements that have barred plaintiffs, including U.S. persons, from bringing such claims in U.S. courts. The court’s decisions will be final and binding.
Requires the Privacy and Civil Liberties Oversight Board (“PCLOB”) to review policies and procedures. The Executive Order calls upon the PCLOB to review the policies and procedures of the U.S. Intelligence Community and to conduct a review of the redress process to assess whether the Intelligence Community has complied with determinations made at both layers of complaint review.
Now that the Executive Order has been signed, the European Commission will draft a ‘proposal’ agreement to implement the DPF, which will then be submitted to the European Data Protection Board (“EDPB”) for its expert opinion on the sufficiency of the protections afforded by the new changes. The EDPB’s findings are not binding, but if it determines that the DPF does not confer “essentially equivalent” protection for transferred data, such opinion could trigger further negotiations between the European Commission and U.S. Department of Commerce. The final step, prior to potential adoption of the DPF, will be for the European Commission to put the proposal before an EU committee composed of representatives from each EU Member State, who will then vote on whether to approve it. The process could take several months, during which organizations will continue to rely on SCCs and TIAs under the current framework.
In response to the announcement, privacy advocates in Europe, including Max Schrems and NOYB, expressed disappointment, stating that the DPF continues to permit bulk collection of personal data and that the redress mechanism under it is more akin to an administrative tribunal than to a judicial branch court. Privacy advocates will likely challenge the new framework, if approved, in European courts, leading to an ultimate review by the CJEU within a few years.
For more information on what companies should do next, please follow our publications on the DPC blog.