Biden Executive Order Seeks to Solidify European Union-U.S. Data Privacy Framework
6 min read
After a two year absence of a legal framework for transferring personal data from the EU to the U.S., President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the “Order”) on October 7, 2022, that will usher in a new EU-U.S. Data Privacy Framework (the "Framework"). The Framework will regulate how US intelligence agencies may collect data from EU citizens and creates new mechanisms to address any claims that personal information was collected or handled in violation of either U.S. law or the Framework.
The Framework, which was first announced as an agreement in principle by Biden and European Commission President Ursula von der Leyen in March 2022, is intended to re-establish the legal regime governing data transfers from the EU to the US, after the previous regime, the Privacy Shield, was invalidated by the Court of Justice of the European Union ("CJEU") in 2020.
Although the Order authorizes implementation measures for this new Framework under U.S. law, ultimately, the European Commission will now need to issue an adequacy opinion to approve the Framework.
Key Provisions of the Executive Order
- Mandates that US intelligence agencies may only collect signals intelligence for a defined national security objective, only when necessary to advance a validated intelligence priority and only in a manner that is proportionate to that priority; U.S. signals intelligence activities must further consider the privacy and civil liberties of all persons, regardless of nationality or country of residence;
- Creates requirements for the handling of personal data collected in signals intelligence and expands oversight to verify compliance and remediate instances of non-compliance;
- Creates a multi-step redress mechanism for citizens of “qualifying states,” (ostensibly, including the EU) and certain regional economic organizations to get binding review of claims that their personal information was obtained or handled in violation of U.S. law or the Order, including:
- A Civil Liberties Protection Officer ("CPLO") in the Office of the Director of National Intelligence to investigate complaints and determine binding remedial measures on the Intelligence Community, subject to a second level of review, below;
- The creation of a Data Protection Review Court ("DPRC") to issue independent and binding review of CPLO decisions. DPRC Judges will be appointed from outside the U.S. government, must have data privacy and national security experience, and will be protected against removal;
- Directs the U.S. intelligence community to update policies and procedures to reflect the safeguards provided in the Order, and calls on the Privacy and Civil Liberties Oversight Board to review those policies and procedures annually.
U.S. – EU Data Transfers - A Shifting Landscape
In announcing the Order, President Biden emphasized that a key goal of the Framework is to provide legal certainty around transatlantic data transfers, in the context of the $72 trillion U.S.-EU economic relationship.
U.S. and EU officials have been negotiating the terms of the Framework ever since the previous US-EU data privacy regime, governed by the Privacy Shield agreement, was invalidated in July 2020 by the CJEU. In that decision, known as Schrems II, the CJEU struck down the European Commission’s 2016 adequacy decision approving the Privacy Shield for two main reasons: first, because it determined that the Privacy Shield did not adequately protect EU citizens from U.S. national security data collection methods, and second, because there were not adequate redress mechanisms for EU citizens in the event of an alleged privacy violation.
The new framework appears to directly address these issues through new restrictions on collecting signals intelligence and the establishment of the multi-layer redress mechanism. Notably, the restrictions incorporate the "necessary" and "proportionate" language often used in EU jurisprudence, define permitted and prohibited legitimate objectives for signals intelligence collection, and identify specific privacy and civil liberties safeguards. In addition, the re-dress mechanism is a clear improvement from the mechanism under the former Privacy Shield framework, which allowed individuals to turn to an Ombudsperson in the U.S. State Department. These mechanisms, among others incorporated in the Executive Order evidence the efforts made by the U.S. to improve its approach to EU data subject privacy since Schrems II.
As the new proposed framework undergoes the approval process, companies should plan to continue to use those SCCs and BCRs until and unless the new Framework is effectively implemented in such a manner that those would no longer be required.
With the U.S. Order now signed, the European Commission is expected to prepare a draft adequacy decision for review by member governments and the European Data Protection Board. Following those reviews, the European Commission must issue an adequacy opinion affirming that the new Framework provides European citizens with data privacy safeguards, with respect to transfers to the United States, that meet the requirements of the GDPR. While it remains unclear whether EU authorities will consider the new framework sufficiently protective, following the White House’s announcement of the Executive Order, the European Commission ("EC") issued a statement, indicating it did not believe the European Court of Justice would strike down this agreement. The EC noted, "[t]he objective of the Commission in these negotiations has been to address the concerns raised by the Court of Justice of the EU in the Schrems II judgment and provide a durable and reliable legal basis for transatlantic data flows. This is reflected in the safeguards included in the Executive Order . . . ."
On the U.S. side, the Attorney General issued implementing regulations to create the DPRC. In addition, Commerce Secretary Gina Raimondo stated that she will send various implementing documents from U.S. government agencies to her EU counterpart. Secretary Raimondo also stated the new framework will update the privacy principles companies must adhere to under The Framework (previously known as the EU-U.S. Privacy Shield Framework Principles) and that the Department of Commerce will work with Framework participants to transition to the updated principles under The Framework.
Businesses, including the more than 5,300 multinational companies that previously relied on the Privacy Shield Framework before it was invalidated, are eager to see a new framework to streamline data transfers between the EU and U.S. Many businesses who needed to transfer EU personal data to the United States have been using other approved personal data transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, in an attempt to comply with the transatlantic personal data transfer requirements under the EU General Data Protection Regulation ("GDPR").
Meanwhile, Max Schrems, the Austrian privacy activist that initiated the initial challenges that struck down previous data transfer frameworks has already indicated he will challenge the new framework and expressed skepticism about both the validity of the new DPRC as a court and whether the E.U and the U.S. are truly aligned on what constitutes, "necessary" and "proportionate" data collection and use by intelligence authorities.
The new Framework fills a significant gap and promises to provide businesses greater legal certainty in transferring EU personal data to the U.S. Importantly, approval by the European Commission will signal that the European Commission deems the U.S. to have adequate privacy protections in place over the personal data transferred to the U.S., further enhancing the development of the U.S. data privacy framework.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2022 White & Case LLP