As we wrote in July 2020, the European Court of Justice issued a landmark decision that invalidated the Privacy Shield as untenable under the European General Data Protection Regulation (GDPR). The decision sparked negotiations between the United States and the European Union on a workable data privacy framework. And after a two-year long hiatus, the U.S. and the EU agreed on a replacement for the Privacy Shield.
The executive order (the “Order”) President Biden signed on October 7, 2022 signaled a step forward for the transatlantic data transfer pact. The Order implements the new EU-U.S. Data Privacy Framework that will enhance protections for EU residents’ personal data. It regulates how the U.S. government will handle the EU personal data and complaints for redress. Although the Order limits certain agencies’ reach into personal data, it represents a much-needed agreement that will help facilitate data sharing across the Atlantic.
New Oversights and Limitations
The Order creates two layers of oversight in the U.S. government. First, it creates the position of Civil Liberties Protection Officer (“CLPO”), who will work within the Office of the Director of National Intelligence and will have the power and independence to investigate possible breaches of citizens’ privacy rights. Second, the Order establishes an oversight court, named the Data Protection Review Court (the “Review Court”), within the Department of Justice. The Review Court will oversee how U.S. intelligence agencies access and use information from citizens of the EU and the U.S.
Redress Mechanism through the Civil Liberties Protection Officers
One of the greatest concerns the EU had with the Privacy Shield was the lack of redress mechanisms for EU residents. Under the Order, the U.S. will create a signals intelligence redress mechanism for residents to file complaints. When a complaint is submitted, the CLPO must investigate and may even order remediation for the complaint.
The Data Protection Review Court
Once the CLPO finishes reviewing the complaint, the complainant may apply for review of the CLPO’s determination by the Review Court. If the complainant decides to proceed with the appeal, court-designated “special advocates” would challenge the use of the personal data by the national intelligence agencies on behalf of the complainant. The Review Court would then hand down an independent and binding decision, possibly putting a damper on the agencies’ operations.
Under the Order, the U.S. intelligence agencies can only collect personal data through signals intelligence for specific, defined national security purposes in a “necessary and proportionate” manner. The intelligence agencies have one year to update their policies and procedures to comply with the Order. Meanwhile, the Privacy and Civil Liberties Oversight Board – an existing office created in 2004 to evaluate the impact of executive actions taken to protect the U.S. from terrorism on civil liberties – will review the updated policies and procedures to ensure the agencies’ compliance.
Agencies will be required to consider the nature and extent of the personal information sought to be obtained and the potential for harmful impact on the individual before disseminating or retaining the personal information collected through signals intelligence. Under the Order, the personal data of non-U.S. residents will be extended various types of protections that already exist as to U.S. residents.
The Order also lists safeguards the U.S. intelligence agencies must adopt and narrows down the legitimate objectives the government can pursue through signals intelligence. Most of the acceptable objectives are directed against various forms of threats from foreign sources. The intelligence agencies must document their data collection to be prepared to provide a factual basis as to why the collection was necessary to advance a legitimate objective.
Now that the U.S. has sent the Order to the European Commission for review, the EU must decide whether the U.S. government has done enough to address the ongoing concerns over government surveillance and judicial redress. The survival of the new Data Privacy Framework hinges on the EU’s adoption of a new “adequacy” determination for the U.S.
The EU’s determination process is estimated to last six months. Once the European Commission accepts the Order as satisfactory, the U.S. and the EU will publish a finalized agreement around March 2023. Even though the new Data Privacy Framework regulates the activities of the U.S. government, companies may still have to consider what changes they must make to their policies and data practices once the new framework is adopted. Since the U.S. intelligence agencies must update their policies and procedures to comply with the Order within one year, we may see many changes throughout the year 2023.