President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence on Oct. 7, 2022, which aims to re-establish an EU-U.S. data transfer framework. The new data privacy framework (the “Framework”) will govern how the U.S. intelligence community collects data from citizens of a “qualifying state,” namely the EU and U.K., and establishes a redress mechanism for privacy violations.
The Executive Order follows negotiations between the United States and the EU after the Court of Justice of European Union (“CJEU”) struck down the previous framework—The Privacy Shield—in a 2020 decision commonly known as Schrems II. The Privacy Shield was invalidated by the CJEU in light of the practices of the U.S. intelligence community and EU residents not receiving substantially similar rights and remedies in the United States as they would in the EU.
The Framework aims to address concerns from Schrems II by setting out safeguards for privacy and civil liberties, and establishing a redress mechanism for qualifying states. For example, the Framework states that U.S. intelligence activities must be authorized by statute or presidential directive, and be collected only after a determination that the collection advances a “validated intelligence priority” in a manner sufficiently tailored to avoid disproportionately affecting privacy rights and civil liberties. The Framework expressly enumerates permitted and prohibited objectives for U.S. intelligence activities. Some examples of permitted objectives for data collection include threats to U.S. government personnel, to cybersecurity, and to the integrity of electoral processes. Prohibited objectives for data collection include, but are not limited to, on the basis of ethnicity, race, gender, gender identity, sexual orientation or religion. As a redress mechanism, the Framework authorizes the Civil Liberties Protection Officer (“CLPO”) of the Office of the Director of National Intelligence to review qualifying privacy complaints and order remedies, and establishes a Data Protection Review Court with independent judges to review determinations by the CLPO. The Framework requires the U.S. intelligence community to update their policies to reflect the safeguards enumerated in the Framework, and such policies will be reviewed annually by the Privacy and Civil Liberties Oversight Board.
While the European Commission and the U.K. government both received the Executive Order positively, the Framework is not yet in effect. The European Commission will prepare an adequacy decision and commence its adoption process, which involves legislative processes with an uncertain deadline but is projected to conclude in March 2023. Moreover, there will likely be legal challenges against the new adequacy decision. For now, until the Framework is implemented, companies that need to transfer EU or U.K. personal data to the United States should continue using the Standard Contractual Clauses, or International Data Transfer Addendum, (collectively, the “SCCs”), as applicable, to comply with data transfer requirements under the EU or UK General Data Protection Regulation. Should the Framework be adopted by the EU and/or U.K., while it may be welcomed relief for companies struggling to comply, it would be wise to continue using the SCCs (even if in parallel to the Framework) for a period after its adoption in case it is invalidated like its predecessors.
Brown Rudnick’s privacy team regularly advises U.S., EU and U.K. clients on data collection, international data transfers, and use policies and practices. To learn more about data transfers between the U.S. and the EU/U.K., or privacy regulations within the 50 states, please contact Ian DiBernardo, Morgan Jones and Ethan Lin.