New Executive Order Paves Way for Streamlined International Data Transfers

In March 2022, the US and EU announced they had agreed in principle to a new Trans-Atlantic Data Privacy Framework (Framework) intended to simplify transfers of personal information. After months of waiting for the final details of the announced agreement, President Biden issued Executive Order 14086 on October 7, 2022, "Enhancing Safeguards For United States Signals Intelligence Activities" ( EO 14086 ). EO 14086 reflects the United States' commitments pursuant to the agreement and is intended to serve as the basis of an adequacy decision by the European Commission (EC) for the new Framework, which will be based on the Privacy Shield Principles. If approved by the EC, the Framework will streamline compliance with the GDPR for transfers of data from the EU to the US. However, this new Framework was necessitated by Austrian activist and lawyer Max Schrems' successful challenge to the EC's prior adequacy decision approving the previous Privacy Shield, and Schrems has already said he might challenge any adequacy decision based on EO 14086 with his pressure group "None of Your Business."

Background

In July 2020, the Court of Justice of the European Union (CJEU) invalidated the previous framework approved by the EC that had facilitated international transfers to the US (the Privacy Shield) in its decision referred to as Schrems II (see here and here ). With the invalidation of the Privacy Shield, most businesses had to rely on Standard Contractual Clauses (SCCs) to comply with the GDPR for international data transfers to the US.

The transfer landscape was further complicated in June 2021, when the EC updated the SCCs to require, among other things, onerous Transfer Impact Assessments (TIAs) that detail the data protection laws in the importer's jurisdiction that permit public authorities to access personal data. Inadequate privacy protections in the importer jurisdiction could necessitate supplementary safeguards such as encryption or pseudonymization (we discussed the requirements of the updated SCCs here ). One advantage of having a new framework would be that companies could self-certify that they adhere to the Framework and thereby avoid conducting TIAs and negotiating individual data privacy contracts with SCCs for data transfers.

EO 14086 is intended to allow US national security decisionmakers to access "signals intelligence," or data from "electronic signals and systems used by foreign targets, such as communications systems, radars, and weapons systems" to advance national security interests. At the same time, EO 14086 is also intended to address the deficiencies the Schrems II decision identified in the Privacy Shield, i.e., that (1) data collection by US intelligence agencies was not limited to what was necessary and proportionate, and (2) data subjects were not provided with a redress mechanism relating to data collected by US intelligence agencies.

By addressing these issues, the Biden Administration and the EC are aiming to have the EC issue a new adequacy decision approving the Framework, which would significantly streamline compliance efforts for data transfers from the EU to the US. If the adequacy decision is finalized and upheld in any challenge by Schrems or others, businesses will no longer need to rely solely on SCCs as a data transfer mechanism. We provide further detail on the requirements, safeguards, and redress mechanism in the Framework further down in this post.

What comes next?

• Although EO 14086 has immediate effect, the EU must now begin the process of gaining approval for the Framework through a new adequacy decision. In a process that is likely to take at least six months, the EC's draft decision will be subject to review and approval by other EU institutions. The EDPB will first issue an opinion on whether the new Framework provides sufficient safeguards and remedies for EU residents. While the EDPB's opinion is not binding, the proposed adequacy decision must then be approved by a committee of representatives from EU member states. If the adequacy decision is approved, US businesses will be able to join the Framework by committing to comply with a detailed set of privacy obligations.
• The availability of the redress mechanism under the Framework is restricted to residents of "qualifying states," and delegates authority to the Attorney General to designate countries or "regional economic integration organizations" as "qualifying states." The Attorney General will need to designate either specific countries or the EU as a collective before the redress mechanism will be effective for EU citizens, and will likely do so as soon as possible to increase the likelihood of a new adequacy decision by the EC.
• The executive order establishes a Civil Liberties Protection Officer of the Office of the Director of National Intelligence (CLPO) who will provide an assessment that signals intelligence activities comply with the Framework, which assessment can be appealed to and reviewed by a newly created Data Protection Review Court (DPRC) comprised of judges appointed by the Attorney General, who will be private practice lawyers experienced in data privacy and national security law.
• If a new adequacy decision is issued, it is still likely to be challenged by privacy advocate Max Schrems, who has successfully challenged the previous two adequacy decisions established between the US and EU. Schrems' organization has already opined that the new Framework is unlikely to satisfy EU law, but it remains to be seen whether it will challenge the adequacy decision at the CJEU.
• One issue not addressed by the Framework is whether decisions made by the newly established DPRC may be challenged in federal courts under the Administrative Procedures Act. The Attorney General's regulation establishing the DPRC provides that it "is not intended to, and does not, modify the availability or scope of any judicial review of the decisions rendered through the redress mechanism, which is governed by existing law."

Takeaways

Because EO 14086 has immediate effect, businesses can start incorporating the additional restrictions on US national security data collection into their Transfer Impact Assessments for international data transfers based on the SCCs. Although each transfer should be analyzed on its specific terms, the additional safeguards detailed in the new executive order should generally militate towards a finding that US treatment of personal data is essentially equivalent to EU standards, and therefore that additional safeguards for the data are not required. Once the redress mechanism is available to EU citizens, that assessment will be further re-enforced.

Because of the uncertainty surrounding potential court challenges to the expected EC adequacy decision, businesses may choose to continue to rely on SCCs as an international transfer mechanism to avoid redrafting or negotiating international data transfer agreements in the event the adequacy decision is eventually invalidated by the CJEU.

Further Detail on EO 14086

Additional Safeguards

EO 14086 sets out overarching principles for the collection of signals intelligence, [1] including a requirement that collection activities be necessary to advance a validated intelligence priority and be conducted proportionate to the validated intelligence priority. The Executive Order then sets out twelve legitimate objectives for targeted collection (prioritized over bulk), six objectives for bulk collection (only when data cannot reasonably be obtained by targeted collection), and five "prohibited objectives" for the collection of signals intelligence. As expected, legitimate targeted and bulk collection objectives include protecting national security and preventing terrorism while bulk collection objectives include terrorism, espionage, weapons of mass destruction, cybersecurity, and transnational criminal threats.

Prohibited objectives include advancing discrimination, suppressing individual rights, and favoring US competitors. EO 14086 provides the following additional procedural safeguards regarding the collection of signals intelligence:

• The newly created position of Civil Liberties Protection Officer of the Office of the Director of National Intelligence (CLPO) must assess whether anticipated signals intelligence activities comply with the legitimate objectives for collection;
• Agencies responsible for collection of signals intelligence must establish policies and procedures designed to minimize the dissemination and retention of personal information;
• Agencies that handle personal information collected through signals intelligence must take appropriate security measures and restrict access by unauthorized persons;
• Agencies that engage in signals intelligence collection shall document their collection activities and set out the agencies' assessment that the collection activity is necessary to advance a validated intelligence priority;
• The Privacy and Civil Liberties Oversight Board (PCLOB) is encouraged to review the policies and procedures, and within 180 days of any such review, the agency head shall implement or address all of the PCLOB's recommendations.

Notably, EO 14086 provides for the collection of bulk signals intelligence, one of the activities the CJEU took issue with in the Schrems II decision. Bulk signals collection is permitted under EO 14086 for six specific objectives when the data cannot reasonably be obtained by targeted collection. In addition, the EO stipulates that data collected via bulk collection may:

• only be used to support the initial technical phase of targeted signals intelligence collection activity;
• only be retained for the short period of time required to complete the initial phase; and
• thereafter deleted.

In addition, any agency that queries unminimized intelligence obtained by bulk collection shall do so only consistent with the permissible uses of bulk collection identified in the Executive Order.

EO 14086 also requires that each agency that collects signals intelligence must have senior legal oversight and compliance officials who conduct periodic oversight of intelligence collection activities. These oversight officials are required to report significant incidents of noncompliance to the head of agency, and that agency head must ensure that remedial actions are taken to prevent the recurrence of the incident of noncompliance. Agencies must also ensure that all employees with access to signals intelligence are appropriately trained on the requirements of EO 14086.

Redress Mechanism

EO 14086 establishes a two-tiered redress mechanism for individuals whose personal data may have been collected by intelligence agencies. The first tier consists of a Civil Liberties Protection Officer (CLPO) investigating, reviewing, and, if necessary, ordering remediation for qualifying complaints.

"Qualifying complaints" are defined as complaints that:

1. allege a covered violation has occurred that pertains to personal information of or about the complainant, a natural person, reasonably believed to have been transferred to the United States from a qualifying state;
2. include the following basic information to enable a review: information that forms the basis for alleging that a covered violation has occurred, which need not demonstrate that the complainant's data has in fact been subject to United States signals intelligence activities; the nature of the relief sought; the specific means by which personal information of or about the complainant was believed to have been transmitted to the United States; the identities of the United States government entities believed to be involved in the alleged violation (if known); and any other measures the complainant pursued to obtain the relief requested and the response received through those other measures;
3. are not frivolous, vexatious, or made in bad faith;
4. are brought on behalf of the complainant, acting on that person's own behalf, and not as a representative of a governmental, nongovernmental, or intergovernmental organization; and
5. are transmitted by the appropriate public authority in a qualifying state, after it has verified the identity of the complainant and that the complaint satisfies the conditions set out above.

The availability of the redress mechanism is restricted to residents of "qualifying states." The Attorney General is authorized to designate countries or "regional economic integration organizations" as qualifying states if the Attorney General determines that:

1. the laws of the jurisdiction require appropriate safeguards in the conduct of signals intelligence activities for US persons' personal information that is transferred from the US to the jurisdiction;
2. the jurisdiction permits or is anticipated to permit the transfer of personal information for commercial purposes; and
3. such designation would advance the national interests of the US.

After the review is completed, the CLPO will inform the complainant, without confirming or denying that the complainant was subject to United States signals intelligence activities, that "the review either did not identify any covered violations or the Civil Liberties Protection Officer of the Office of the Director of National Intelligence issued a determination requiring appropriate remediation."

Intelligence agencies will be bound by the CLPO's determinations and will be required to take the remedial measures identified by the CLPO. EO 14086 also provides for the independence of the CLPO and states that the CLPO shall not be removed for any action taken pursuant to the order "except for instances of misconduct, malfeasance, breach of security, neglect of duty, or incapacity."

The complainant shall also be informed that they may apply for a second-tier review of the CLPO's determination, to be conducted by a newly established Data Protection Review Court (DPRC). Pursuant to the EO, the Attorney General has already issued regulations establishing the new court. The Executive Order requires the Attorney General to appoint judges with appropriate experience in the fields of data privacy and national security law, but who are not active employees of the US government. On receipt of a complaint, the Court will convene a special advocate to represent the complainant's interest in the matter. The Court will determine whether there has been a violation of EO 14086. Intelligence agencies will be bound by the DPRC's decisions and must implement appropriate remedial measures.

Similar to the first tier of the review, when the Court has made its determination, it will inform the complainant, without confirming or denying whether the complainant was subject to signals intelligence activities, that:

1. the DPRC completed its review;
2. "[t]he review either did not identify any covered violations or the Data Protection Review Court issued a determination requiring appropriate remediation"; and
3. the notification to the complainant constitutes the final agency action in the matter.

EO 14086 includes the following remedies for violations identified by the CLPO or DPRC:

• terminating acquisition of data where collection is not lawfully authorized;
• deleting data that had been acquired without lawful authorization;
• deleting the results of inappropriately conducted queries of otherwise lawfully collected data;
• restricting access to lawfully collected data to those appropriately trained; or
• recalling intelligence reports containing data acquired without lawful authorization or that were otherwise disseminated in a manner inconsistent with United States law.

Conclusions

The executive order puts new restrictions on electronic surveillance by US intelligence agencies and gives European citizens new avenues to file complaints when they believe their personal information has been unlawfully collected by US intelligence agencies. It provides the bases for a new Framework which, if approved, will facilitate data flows between the EU and US and allow for necessary and proportionate collection of signals intelligence to protect US national security interests, while at the same time safeguarding individual privacy interests and civil liberties.

Various institutions within the EU will now have to assess whether they believe the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate and whether the redress mechanism respects EU individuals' right to an effective remedy and fair trial. If the executive order meets those objectives, we hope to see a new adequacy decision that can survive challenge in the CJEU.