International: President Biden signs Executive Order to implement EU-US Data Privacy Framework
The White House announced, on 7 October 2022, that President, Joseph Biden, had signed, on the same date, an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which directs the steps that the US will take to implement its commitments under the European Union - U.S. Data Privacy Framework ('EU-US DPF'), as announced in March 2022.
In particular, the accompanying factsheet explains that the EU-US DPF aims to restore the legal basis for transatlantic data flows by addressing concerns expressed by the Court of Justice of the European Union ('CJEU') ruling in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II Case'), whereby the Privacy Shield framework was invalidated as a data transfer mechanism. More specifically, the Executive Order:
- adds further safeguards for US signals intelligence activities;
- mandates handling requirements for personal information collected through signals intelligence activities and extends officials' responsibilities;
- requires US Intelligence Community elements to update their policies and procedures;
- creates a multi-layer mechanism for individuals from qualifying states and regional economic integration organisations, as designated under the Executive Order, to obtain independent and binding review and redress; and
- calls on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures.
Furthermore, the Executive Order aims to provide the European Commission with the basis to adopt a new adequacy determination, which would also provide greater legal certainty for companies using Standard Contractual Clauses ('SCCs') and Binding Corporate Rules ('BCRs') for EU-US data transfers.
Within 60 days of the date of the order, the Attorney General and heads of elements of the Intelligence Community that collect or handle personal information collected through signals intelligence, shall establish a process for the submission of qualifying complaints transmitted by the appropriate public authority in a qualifying state.
Accordingly, the executive order provides the Civil Liberties Protection Officer of the Office of the Director of National Intelligence ('CLPO') with powers to investigate, review, and, as necessary, order appropriate remediation for qualifying complaints. Furthermore, the Attorney General is authorised to establish a process to review the CLPO's determinations, and, also within 60 days of the date of the order, promulgate regulations establishing a Data Protection Review Court ('DPRC') to exercise the Attorney General's authority for such reviews. In light of this, the Attorney General, Merrick Garland, signed, on the same date, the regulation establishing the DPRC.
European Commission Q&As
In response to the Executive Order, the European Commission released its Questions and Answers ('Q&As') and announced that it will now prepare a draft adequacy decision, as well as launch its adoption procedure, a process which could take up to six months.
The European Commission confirmed that prior to adopting an adequacy decision it must obtain an opinion from the European Data Protection Board and receive approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions.
Finally, the European Commission highlighted that an adequacy decision is not the only tool for international transfers and that all the safeguards it has agreed with the US Government in the area of national security will be available for all transfers to the US under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), regardless of the transfer tool used.
You can read the Executive Order here, the factsheet here, the Q&As here, the Department of Justice page here, the DPRC Regulations here, the EU Justice announcement here, and the Future of Privacy Forum statement here.