On October 7, 2022, President Biden signed Executive Order (EO) 14086, “Enhancing Safeguards for United States Signals Intelligence Activities,” which provides a new framework for legal data transfers between the European Union (EU) and the United States. The legal basis for transatlantic data transfers has been uncertain since 2020 when the European Court of Justice (ECJ) in Schrems II invalidated the EU-U.S. Privacy Shield Framework to transfer data from the EU and other European Economic Area (EEA) countries to the United States.
This follows the European Commission’s and the United States’ announcement in March 2022 that they had reached an agreement in principle on the new EU-U.S. Data Privacy Framework to facilitate transatlantic data flows.
The executive order addresses data privacy concerns raised by the ECJ in Schrems II by introducing additional safeguards and oversight of personal data collection by U.S. signals intelligence agencies’ (SIGINT) activities and provides individuals with a redress mechanism for their data protection concerns. In particular, EO 14086:
- mandates that SIGINT activities only be “necessary to advance a validated intelligence priority” and “proportionate to the validated intelligence priority.” SIGINT activities shall be undertaken “only in pursuit of one or more” of twelve specific legitimate national security and intelligence objectives;
- allows bulk collection of signals intelligence but subjects such bulk collection to tighter controls and requires that targeted collection be prioritized;
- creates requirements for the handling of personal data collected in signals intelligence and expands oversight to verify compliance and remediate instances of noncompliance;
- takes into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and
- creates a multilayer mechanism for individuals of “qualifying state[s]” (including the EU) and regional economic integration organizations to obtain an independent and binding review and redress.
The redress mechanism includes establishing:
- a civil liberties protection officer (CLPO) in the Office of the Director of National Intelligence to conduct initial investigations; and
- the Data Protection Review Court (DPRC) to provide an independent and binding review of CPLO decisions. The DPRC judges will be appointed from outside the U.S. government in consultation with the U.S. Department of Commerce and the independent Privacy and Civil Liberties Oversight Board (PCLOB).
EO 14086 also:
- directs U.S. intelligence agencies to update their policies and procedures “as necessary to implement the privacy and civil liberties safeguards” in EO 14086;
- requires the PCLOB to review these policies and procedures, as well as conduct annual reviews of the redress process; and
- imposes data retention requirements.
The European Commission will review EO 14086, raise any concerns, and, if satisfied, will issue a draft adequacy decision for review by member states, the European Parliament, and the European Data Protection Board (EDPB). The European Commission will also seek a legal opinion from the EDPB. Finally, an EU committee comprising representatives from each EU member state must vote to approve the draft adequacy decision. If the EDPB’s opinion provides a negative outlook, or if privacy campaigners challenge the Framework and/or EO 14086, it may be subject to further revision and discussions between the United States and EU. This legal process could take between six months and a year to complete.
While businesses wait for the draft adequacy decision and the process to commence, they may continue using the standard contractual clauses (SCCs) for transfers outside the EU and the International Data Transfer Agreement (IDTA) for transfers outside the United Kingdom (or the International Data Transfer Addendum to the SCCs, which is to be appended to the new SCCs) when transferring personal data outside the United Kingdom or EU to third countries, along with transfer impact assessments to justify transfers to third countries.
Businesses may want to update their existing contractual agreements to the new SCCs by December 27, 2022.