LawFlash

EU-US Data Transfers: New Executive Order Enhances Protections, but Will It Suffice?

October 11, 2022

US President Joseph Biden signed the long-anticipated Executive Order on Enhancing Safeguard for United States Signals Intelligence Activities (EO) on October 7, 2022, providing enhanced protections in an effort to restore the free flow of personal data transfers from Europe to the United States.

The EO attempts to address the European Court of Justice’s Schrems II decision, which complicated data transfers from the European Union to the United States because of concerns over US government surveillance activities. In part, the EO offers enhanced protections for personal data collected through intelligence activities and implements new safeguards for the collection of personal data. The goal of these new protections is to enable the European Commission to restore a straightforward data transfer mechanism eliminating the uncertainty many organizations face when exporting data to the United States.

The EO builds on the preliminary agreement that President Biden and European Commission President Ursula von der Leyen announced in March 2022. Although this action is a step forward, there is still a long way to go before data can flow freely from the European Union to the United States.

Enhanced Protections

The EO adds additional safeguards for US signals intelligence activities, including requiring these activities to be conducted only in pursuit of defined national security objectives.

  • To address Europe’s concerns about a lack of redress, the EO creates a “multi-layer mechanism” for individuals from “qualifying states and regional economic integration organizations” to raise claims about the collection of their personal information through US signals intelligence. This process includes the following:
    • The appointment of a Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence to investigate complaints regarding violations of US law and to undertake any necessary remediation.
    • For any appeals, the creation of a Data Protection Review Court (DPRC) to provide an independent and binding review of the CLPO’s decisions, upon an application from the individual or a member of the intelligence community. Under the EO, DPRC judges will be appointed from outside the government, will have backgrounds in data privacy and national security, will review cases independently, and will enjoy protections against removal. The DPRC will select a “special advocate” in each case to advocate regarding the complainant’s interest in the matter.
  • To address concerns about the extent of potential surveillance, according to the EO, the Privacy and Civil Liberties Oversight Board (PCLOB) will review intelligence community policies and procedures to ensure they are consistent with the EO and conduct an annual review of the redress process, including by reviewing whether the intelligence community has fully complied with determinations made by the CLPO and DPRC.

Finally, the EO partially revokes the Presidential Policy Directive 28 of January 17, 2014 (Signals Intelligence Activities) (PPD-28). Following President Biden’s actions, only Sections 3 and 6 of PPD-28 and the classified annex remain in effect.

Reactions in Europe

The European Commission has not yet released an official statement on the EO. However, NOYB, Max Schrems’s organization, promptly released a critical statement about the EO. NOYB stated that there is no indication that US mass surveillance will change in practice, and expressed the view that so-called “bulk surveillance” will be permitted under the EO and data sent to the United States will still be subject to government surveillance.

US surveillance laws were the key point in the Safe Harbor and Privacy Shield frameworks being overturned. To address these points in the context of using standard contractual clauses, the European Commission’s decisions with new forms of standard contractual clauses, as well as European Data Protection Board guidelines on implementing supplementary transfer tools and essential guarantees, require exporting and importing organizations to undertake risk assessments addressing these surveillance laws, not all of which apply to many organizations.

Next Steps

The new data transfer framework is likely to take several more months to be finalized and made available to US organizations. Several significant steps at various levels must be taken:

  • The EU Commission must draft an adequacy determination and may set parameters such as regular reviews of the framework.
  • The European Data Protection Board must issue a nonbinding opinion (and may request further documents prior to doing so).
  • A committee composed of the EU member states’ representatives must approve the proposal with a qualified majority.
  • The EU Commission must adopt its adequacy determination.

This process could take until spring 2023. Whatever the outcome is, privacy activists such as Schrems and NOYB will likely challenge it in court. The EO may also be subject to challenges in US courts because it arguably gives EU residents greater privacy protections than US citizens. It remains to be seen whether the United Kingdom will adopt this framework or enact its own data transfer framework with the United States.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:

San Francisco